WORLD INTELLECTUAL PROPERTY ORGANIZATION 
International Bureau 




PCT 

INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT) 



(51) International Patent Classification * 
H04N 7/16, 7/167 



Al 



(11) International Publication Number: WO 99/07150 

(43) International Publication Date: 1 1 February 1999 (1 1.02.99) 



(21) International Application Number: PCT/US98/16I45 

(22) International Filing Date: 31 July 1998 (31.07.98) 



(30) Priority Data: 

60/054.575 



1 August 1997 (01.08.97) 



US 



(71) Applicant: SCIENTIFIC-ATLANTA, INC. [US/US]; Intellec- 

tual Property Dept., One Technology Parkway South, Nor- 
cross, GA 30092 (US). 

(72) Inventors: PALGON, Michael, S.; 1 196 Poplar Grove Drive, 

Atlanta, GA 30306 (US). PINDER, Howard, G.; 4317 
Stilson Circle, Norcross, GA 30092 (US). 

(74) Agents: GARDNER, Kelly, A. et al.; Scientific-Atlanta, Inc., 
Intellectual Property Dept., One Technology Parkway South, 
Norcross, GA 30092 (US). 



(81) Designated States: AL, AM. AT, AU. AZ, BA, BB, BG, BR, 
BY. CA, CH, CN, CU, CZ, DE. DK, EE. ES. Fl. GB, GE, 
GH, GM, HR, HU, ID, IL, IS, JP, ICE, KG, KP, KR. KZ, 
LC. LK, LR, LS, LT, LU, LV, MD, MG, MK, MN, MW, 
MX, NO, NZ, PL, PT, RO, RU, SD, SE, SG, SI, SK, SL, TJ, 
TM, TR, TT, UA. UG, UZ, VN, YU, ZW. ARIPO patent 
(GH, GM, KE, LS, MW, SD, SZ, UG. ZW), Eurasian patent 
(AM, AZ, BY, KG, KZ, MD, RU, TJ, TM), European patent 
(AT, BE, CH, CY, DE, DK, ES, FI. FR, GB, GR, IE, IT, 
LU, MC, NL, PT, SE), OAPI patent (BF, BJ, CF, CG, CI, 
CM, GA, GN, GW, ML, MR, NE. SN, TD, TG). 



Published 

With international search report. 



(54) Title: ENCRYPTION DEVICES FOR USE IN A CONDITIONAL ACCESS SYSTEM 



2403^ 



DB 



2407(0)^ 



-TO 517 



2407(n)^ 



EA 



2411 



DHCT 
KEY DB 






i 








EA TED 


i 
i 

i 


EA TED 




CAA TED 




j 


^2425(n) 


^2427 



(57) Abstract 

A cable television system provides conditional access to services. The cable television system includes a headend from which service 
"instances", or programs, are broadcast and a plurality of set top units for receiving the instances and selectively decrypting the instances 
for display to system subscribers. The service instances are encrypted using public and/or private keys provided by service providers or 
central authorization agents. Keys used by the set lops for selective decryption may also be public or private in nature, and such keys may 
be reassigned at different times to provide a cable television system in which piracy concerns are minimized. 
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ENCRYPTION DEVICES FOR USE IN A 
CONDITIONAL ACCESS SYSTEM 

5 Related Patent Applications 

The present patent application is a continuation-in-part of the following U.S. applications, 
all of which are assigned to the assignee of the present U.S. application: 

U.S.S.N. 08/767,535, Robert O. Banker and Glendon L. Akins III, Preventing Replay 
1 0 Attacks on Digital Information Distributed by Network Service Providers, filed 1 2/1 6/96; 

U.S. Patent No. 5,742,677, Pinder, et al., Information Terminal Having Reconfigurable 
Memory, filed 4/3/95; 

1 5 U.S.S.N. 08/580,759, Wasilewski, et al., Method and Apparatus for Providing ^ 

Conditional Access in Connection-Oriented Interactive Networks with a Multiplicity of 
Service Providers, filed 12/29/95; 

U.S.S.N. 09/1 1 1 ,958, Seaman, et al., Mechanism and Apparatus for Encapsulation of 
20 Entitlement Authorization in Conditional Access tysteny fijed 7/8/98; 

The present patent application al<>o claims priority based gn U.S>S.N. 60/054,575, 8 . nJ * 
Wasilewski et al., Conditional. Access System, filed August 1 , 1 997. The present 
applitition is further one of seven applications with idfefltical D^ailed Dgscjipti^^ 
25 9?„tfiese applications haye the 'same filing date and all haveCthe same assignee. The titles 

• and inventors of the six applications follow: n 

0^-3^1 8), Wasilewski, et al., Conditional Access System, Med July 31, 199S; 

30 (D-3373), Akins, et al., Method and Apparatus for^Geographicatly Limiting Service in a * 

Conditional Access System; filed July 31, 1998; v J » 1 

'•• 1 • 
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1 (D-3457 ), Wasilev&ki, et al., Authorisation of Services in a Conditional Access System, 
medJiiiy31;il998; {r : :nyii ^ ; v - V " 

(D-3472), Akiii&, et af Representing Entitlements id Service in a Conditional Access 

5 ^e^/filed^uly31^199g; r; r rL 5 ^ s v ^ 

■•• yi/.v^r.-^ iidir V.- :.v.^;*- " ^ ' : - 

(b-2999)rPi^der/fet ) ai., Verification of the Source of Program Information in a 
Conditional Adcess System, fifed July 31,1998; 

10 (D-361 4), Pinder, ei*ei\,lSourceA^ of Download Information in a Conditional 

AcCeX System, ffied julyli] 1 90^ . % - ^ : 5 v : i '\ 

/. . " r . . .-;c c u *: f s inu. . r^r.;.; i : ^« ^ ' -~ **-' - - c : -' 

Field of the Invention 

15 The invention concerns systems for protecting information and more particularly concerns 

systems for protecting information that is transmitted by means of a wired or wireless 

medium against unauthorized access. 

• . -si /?:r:: - ' 2 c » s ' ■: . /:■•' . "Si.. ^' . / M:^'*''*.^. 

" .*ivc tr. '*v-. . r SJ ^ J-i *i ^ " . . *u -*i . ' . ; . * . v. j r j -u';. 

20 Background of the Invention f , 

Qnp way of distributing^ infonnation is to broadcast it, that is, to place the information on 
a medium 1 ^om which ji^^ be received by any device that* is connected to the medium. 
T^le\dsio^and .radiQ are f \yje Jl-Jcnoym broadcast media. If one wishes to make money by 
distributing information qn,a^broadcast medium, |here are a couple of alternatives;; A first 

25 is to find sponsors to? p^y fpr broadcasting th^ infonnatipn. A second is to permit access 

..... to^ ^the broadcast infq^aUon.pnly to;those who have paid for it. This is generally done by 
broadcasting the information.in scrambled or encrypted form. Although any device that is 
connected to the medium can receive the scrambled or encrypted information, only the 
devices of those users who have paid to have access to the information are able to 

30 unscramble or decrypt the information. 
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A service distribution organization, for example a CATV cpmpa^y or a satellite television 
company, provides its subscribers with information from a number, of program sources, 
that is, collections of certain kinds of information. For example, the History Channel is a 
program source that pro yide^teleyision ^ 

by the History Channel is an "instance" of that program source... W^en^ie^ service , 
distribution organization broadcasts an instance of the program source, it encrypts or 
scrambles the instance to foryn encrypted instance. y An enprj^?tejl instgujce cpntains 
instance data, which is the encrypted information, ir^^ng up program. ( . . Vr , 



10 



An encrypted instance Js broadcast over a transmission medium. The transmission 
medium may be wireless or it may be "wired", that i$, provided, via a wire, a coaxial 
cable, or a fiber optic cable. It is received in a large number of set top boxes. The 
function of set-top box is to determine whether encrypted instance should be decrypted 
and, if so, to decrypt it to produce a decrypted instance comprising the information 

15 making up the program. This information is delivered to a television set. Known set top 

";fr»MA * . i. .> ..k:. n;q -.oi am-wav* ::£vn.. to:* ic* i 4 ^v«i;t-n r 

boxes include decryptors to decrypt the encrypted instance. 



FJ4. J ! 



Subscribers generally purchase services by the month (though a service may be a one- 
time event), and after a subscriber has purchased a service, the service distribution 
20 organization sends the set top box belonging to the subscriber messages required to 

provide the authorization information for the puktiase^d^M^es/ AMon^iim a 

for 

r ^kmrttplcMii ari 6ut-of-barid RF lihk, to a set i6p*Sb& ^^\^i^i^^¥h^^^ 
M C^mpld^d to encrypt thfe authorization irifbrihafibri.-^ 
25 scr.il A include a key for a servicfe of the Service distributi6n°orgahi^ indication of 

?.x*x wharprogtams in the servide thS subscriber is : entitled to watch; If the authorization 
v :^r . information indicates that the subscriber isTerititled to wafcfi ffie projgram bf ari'tencrypted 
•■£• instanceythe set-top i>ox decrypts the enciypt^lhsfeni:^: j ' : - nr ' 0 1 ' ; * ' A * !: : L '*' r 
liS'^ir - 4 . • ■/■:.•>■ ? • ^. • .-'j;V. r:v./ :t:j;1?-:v: or ' ■ 

- Vf.-rno*. r sir ,Y~'y w .;,\ . . 
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It will be 1 appreciated that "encryption" and "scrambling" are similar processes and that 
"decryption" and "descrambling" are similar processed; a difference is that scrambling 
and descrambling are generally ^hal6fe in^nature, while encryption and description 
processes are usually digital. ' 1 J }'- r - 

f ■ The access restrictions are Vequired iri both analog and digital systems. In all systems, the 
continued ieehriological improvements being used'to overcome the access restrictions 
- require more secure and flexible 'access restrictions. As more systems Switch from an 
analog format to a digital format,' 6* a hybrid system containing both Analog and digital 
1 0 fokriats, flexible access restrictions '^will be required. " s ! " ' 2 

Restricting access to broadcast information is even more important for digital 
information. One reason for this is that each copy of digital information is as good as the 
original; another is that digital information can be compressed, and consequently, a given 

15 amount of bandwidth carried rttkitf more information in digital form; a'tliird is that the 

service distribution organizations are adding* reverse piths which permit a set-top box to 
sehci a message to the service'di^tribution organization, thereby permitting various 
interactive servicek " f 1 s tir 1 J ^ 
Thus, the service distributi^ri t di'ganizatibils require access restrictions which are both 

20 more secure and more flexible than those in conventional systems 

Brief Description'^ ' ' 

FIG. 1 is a block diagram of a conditional access system; 
FIG. 2 A is a Block-diagram of the service instance encryption techniques 
25 disclosed herein; 1 • * ■ 

FIG. 2B is a block diagram of the service instance decryption techniques 

disclosed herein; 

FIG. 3 is a more detailed block diagram of the service instance encryption and 



decryption techniques disclosed herein; 

4 FIG. 4 is a felbck'di'agra 
entitlement agents to a DHCT; 



30 FIG. 4 is a block diagram of the techniques used to dynamically provide 
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t . a . v .FIG. 5 is a, block diagram of a digital broadband delivery system in which the 
. . r conditional access system is implemented;.: , ... . > r; :; j, :V v < .-. , w w - 
.FIG. |6 is a blpck diagram of ^ 
broadband delivery system of FIG. 5; ; , ; 3 ^ : 

5 FIG. 7 is a diagram of an MPEG-2 transport stream; 

f . . , FIG. 8 is a diagram of how EMMs are, mapped^nto aij MPEGr2 JranspQit stream; 

FIG. S> is a c^agram o^Jiow EMMs are mapped intp^anJP packet; : ^ r: ; 
FIG. ; 10 is a. diagram of, bpyt ECMs , are> jg^p^d^ntp a Mf EG-2 transport stream; 
FIG. 11 is a detailed diagram of an EMM. r rr uy . i . > fJ3fn . 
10 FIG. 12 is a detailed diagram of a pre;fei^d e^b?d^^ 

FIG. 13 is a diagram of the contents of memory in DHCTSE 627; 

FIG. 14 is a diagram pf how NYSjCs arj^Joc^ted tq,entitlemQnt,agei?ts in a 

: preferred embodiment; . . i i o^, -\ .u./u-r..- .V: 

FIG. 15 is a diagram of an EAD HVSC;^ . i .. Ji< ' j:i J::r \. .., ^ l7 > 
15 ; . . FIG, 16 is a diagram of other km^Qf >^§^s^ t ^ ;iS K, /^ ; ^ r f v ; : ; r e 

, ; FIG.17 is a diagram of an event NYSC; . y^'-i^'o x?^: ftr^rr-^ 
FIG. 18 is a diagram pf a global b^qadcast ^thentijcated ^essag^(GB>\M); 
FIG. 19 is a detail of the contents of one kind of GBAM; n; . i<t lt<; .^5 . ; 
FIG. 20 is a diagram showing ho t w GBy^M&iflay bp used gc^rally^to proyide data 
20 to a client application;, _ ^ ,jdi :feih^r .i^r;.^^^! 

FIG. 21 is a diagram of a forwarded purchase message; 
FIG. 22 is a diagram of the entitlement j^tniqep^^ j . .... g 

FIG. 23 is a diagram of a code message; 

FIG. 24 is a diagram showing the relationship JpPfi .^3^^ e rest °^ 

25 conditional access system 601; 

FIG. 25 is a detailed diagram of a TED; Ts . 

FIG. 26 is an illustration of the coordinate system used for spotlight and blackout; 
FIG. 27 shows how an area is computed in the coordinate system jof FIG. 26; 
FIG. 28 is a description of a public key hierarchy; And 

FIG. 29 is a description of an EMM generator according to the present invention. 
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The reference numbers in the drawings havd at' least three digits. The two rightrhost digits 
are reference numbers within a figure; the digits tb' the left of those digits are the number 
-of the figure in which Wjtemideiitefi^fey &e'rieierfencfe number first app&rs! For 
example, an item with reference number 203 first appears in FIG. 2: 



Detailed Description of a Preferred Embodiment 



'SI 1 



The following Detailed Description will first provide a general introductipii to a j 

10 conditional access .system an4 tp^encr^tion and decryption, wi 

service instance encoding and decoding, is done in a preferred embodiment, and will 
thereupon describe the techniques used in the preferred embodiment to authenticate the 
ECMs and J^MMs oftifee preferred em^iment. Next, the Detailed description will 
describe how EMM? can be used to dynamically add and remove access to services and 

1 5 the role of e^cryptio^ ^id authentication in these operations. Finally, there vyill be^a 

defiled exposition of how |hg techniques described in the foregoing are employed in a 
^ broadcast ^^^^^^^^st^^mtiifS node structure anda reverse path fromthe set top 
box to the head en& of ^ and memory are employed in the preferred 

embodiment to prpjectkeys md entitlement information, and of how, certain operations 

20 L are performed. iij the .preferred : ^bodiment. . . . v , 

Conditionai Access^ ^ ; - . .,- v , 

FIG. 1 provides an overview of a system 101 for limiting access to broadcast information. 

Such systems will be termed in the as "conditional access systems". A service distribution 

25 organization 1.03 , for e^^mple j a^QATV company or ^satellite television company; 

provides its .sujb^pribf^s, ^th.jLofoxni^oix from a .number ,of services, that is, collections of 
certain kinds pf infonxia^i^. F : pr example, the. History Channel is a service that provides 
television program? abpuj ;^^-b^ h .PP& 1 ^-:Pr 0 Yif 1< ^. by- the History Channel is an 
"instance" of that r seivice : . ;When tJhi.e secyipe distribution : organization broadcasts an 

30 instance of the service^it eqqryjpto or scrambles the instance to form encrypted instance 
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105. Encrypted instance 1Q5 contains iraitanpe data,/! 09,* which is the encrypted 
information making up thg program, and entitlement coiitrpl messages (ECM) 1 07. r . The 
entitlement control messages contain infonnation ^iepded;to decrypt the encrypted portion 
of the associated instance data 109. A given .entitlement, control mes5age.is.sent many 
5 times per second, so that it is immediately available to any new viewer or a service. In 

order to make decryption of instance data 109 even more difficult for pirates, the content 
of the entitlement control message is changed every few seconds, or more frequently. 

Encrypted instance 1 05 is broadcast over a transmission medium 1 12. The medium may 
10 be wireltess or it may be 'wired", that is, provided via a - wire, a coaxial* cable, or a fiber 

optic'cable. It is received iri !a large number of set top bBxes 1 1 13(0 Z n)l each of which is 
attached to a television set: It is a function of set-tbp bbx h l \3 lK io determine whether 
encrypted ihstknce 105 should be decrypted and if l i$;t6 decrypt it to produce decrypted 
1 instance 123, which is delivered to ttie television self? AS shbWn in detail with regard to set 
15 top box 1 13(0);'set top box 1 13 incfudes decrypted f tS 9 N^Iu*ch Uses a control word 1 17 as 

: arkey to decrypt encrypted instance! 05/ Confrol WBrd ^7ii pfo^ceci by control word 
a *g6nerato¥4 19 from information ctiiitaKned in entitlement control &e&agg 107 and 
informatioh from autHoriikt^ I'3/lForex^npie, 
^- 121 may include a key^fOt'fte^eiVi'de' 'iiAil l £ri indication of what 
20 7 r;0( progi l ams ; in the Service the subscribers entitled t6&^ " ' ~ f 

information 121 indicates that the subscribers 

instance 105, control word generator 1 19 uses the key together with information from 
ECM 107 to generate control word 117. Of c&ir^ n^66ihifef Wnll^ l gcA^{e& for 

The*atiih6ri£3ti6n information used 1 in a r pkrticular sStH6^W6x 11 3(1 j'ik obtained from one 
^^of ikorc entitlement management messages 1 ! VI ad& essed 'to ^ Set'tbp feox* 1 13^)- 4 

; Subscribers generally purchase Services by tfi£ niortth (ihtldghf Service may be a one- 
- :: time^v6nt), and after a sift^ 
30 ^ brgsfeiiation 103 seridg sfet tbp bbx lT3<i) S&bnfeitig ft* W^iSstrib'er Entitlement 1 
management messages 1H as reqiiired "-to prtviddthfe iMiHriz^tioh information 121 
required for the purchased services. Entitlement management messages (EMMs) may be 

7 
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sent interleaved with instance data 109 in the same fashion as ECMs 107, or they may be 
sent via a separate channel, fc^^^ ah out-of-band RF link, to set top box 1 13(i), 

which stores the information from the Entitlement management message (EMM) 1 1 1 in 
authorization information 0 !^ : ' <3f course, vairious 4 techniques have been employed to 
encrypt entitlement management messages 111. 

Encryption and Decryption Generally 

The encryption and decryption techniques used for service instance encoding and 
decoding belong to two general clashes : Symmetrical key techniques and public key 
-techniques." A Syn^effifcd'key erici^tion systeni is one in which each of the entities 
- wishing to communicate has a 1 copy J df a key; the sending entity encrypts the message 
using its copy of the key and the receiving entity decrypts the message using its copy of 
- the key. 1 An example symmetrical'keiy encryption-decryption system is the Digital 

Encryption Standard ''(DfiS)'^Mbhi. A public key encryption system is one in which each 
of the entities wishing to communicate has its own public key-private key pair. A 
1 message encrypted With? the^piiblie key can only be decrypted with the private key and 
^6€^txi^:^^ as long as a given entity kedps its private key secret, it can provide its 
public key to any other entity that wishes to communicate with it. The other entity simply 
encrypts the message it wishes to send to the given entity with the given entity's public 
key and the given Entity uses its private key to decrypt the message. J "Where entities are 
exchanging messa^e^ ekch entity miisf have the other's 

public key ! The private icejpfeSh aisfd be%se& in digital signature operations, to provide 
authentication.' and symmetrical key and public key 

1 6nctyptf6n Wpf^ci(kafr 9 '^8nic6 Scftaeier, Applied Cryptography, John Wiley tod 

Sons' New Yoric,1994; • ]n r : ■ V " * ^ :I 

■ ii : :<:r or Ji.z\ ' ub -.sir: ^ ; ■ £ \- ' ~ "'*: ••• • , ' rr ' 

The design of an encryptioh' system for a given application involves a number of 
considerations. As will be 'S^e^ri in the following; considerations that are particularly 
important in the broadcast message environment include the following: 
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. • key security: A synunetrical key syst^ 
, . . 10 the key shared t>y the,pommiuiicat^ public key system is 

also useless if someQne qtl^er tlrag .^e.owr^ has access 

5 to the corresponding private Key., „ m *<^^ " J*. A £ 

• key certification: how can the recipient of a key be sure that the key he or she 
has received is really a key belonging ? |o tiip i entity to Ay^ch the reqipipnt 
wishes to send an encrypted message anji not a key belgi^ging^ to another entity N 
which wishes to intercept the njes^ge?. (> , r . fI . > v 

1° ... message authenticati^^^ y 

message is from the pai^ } it claimsJo ^ 

, ; • speed of encryption and deci^ption: L in general, symmetrical key^ncryption 
syste^ are faster than pubU^ 



15 with real-time data. : , f ^ % , ; . . rr< j -v / ^ 

. • key sfce: in general, t£e, longer thejcey use<i inpn. jejpci^ptw^ystem^ jhe more 
, resources will be required to break th$, e^c^ygtipn.and thereby gaki access to 

v iqr ;/ ; „:.. thenie^age. ^ ^ .. i5fi] ,fe^;ov ,;.iy:,:;r 

20 All .of the foregoing considerations are influence4,by ; the fact that t th? j^yironmentjn - 
which a conditional access sy^tenj pper#^ i^t.J^p^we;4^Q u be hostile,, 
t customers of broadcast servicq^see nothing wr<^g t w^jchefting ( the;S provider and 
. have nothing against tampering phy§iq^lly ? y/ith th£ portion^offtoe^ondk^ 
, sjstem that is contained in the receiver pr using varip^s^^Jograp^uc^tt^cks tCKSteal 
25 keys or to deceive the receiver about the source of the message it receives. ,Mqrepver, 

the providers of the systems that actually broadcast the services do not necessarily have 
the same interests as the providers oflhe service.Qpntent* and^herefore need to control not 
only who can access a given instance of a service, buj, al§$ what entities can offer services 
to a given receiver. 
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Service Instance Encry^ 

In overview, the encryption system' of the present invention uses symmetrical key 
encryption techniques to enc^t arid decrypt the service instance and public key 
■ - encryption techniques tfo transport a copy of one of the keys used in the symmetrical key 
5 - techniques of tKe key from the f servi6fe w provider to the set-top bok. ^ 

In Fig: 2A,-tlear ^eiVites siich as the elementary digital bit streams which comprise 
MPEG-2 programs are sent' through a 1 sl level encryption called the Program Encrypt 
function 201 , which is preferably "a : symmetric ciphef such as the well-known DE!5 

10 algorithm. Each elementary stream may be individually encrypted and the resulting 

entrypted streams are 1 sent to ftfUX 200 to be combined with other elementary' streams 
and private^clatai suctfas ddnditionkl access data. The key used in the Program Encrypt 
function 201 s is calied'the Control Word^CW) 202* the CW202 is generated by control 
word Generator 203 which can be either a physically random number generator or can use 

15 - a sequential' counter with* a suitable Randomization algorithm to produce a stream of 

random CWs. A newCW is generated frequently, perhaps once every few seconds and is 

"'■ applied to' each elementary stream 7 oh the' same time scale. Each new C W is encrypted by 

C^ntro^'Word iSrielypt' & Me^agfe-' Atithenticate' function 204 using a Multi-Session key 
'(MSR)'2d8* prWvrdted ^Multi-Session Key generator 205. the CW is then combined into 

20 ■ ■' ' an ECMlO? with other'service-related information. The ECM 107 is authenticatea by 
0 Control Word Enci^t'i^'Nire^ge y Ati^ehticate function 204 Which produces a message 
authentication code using akeyed-hash value' derived from the message content combined 
with a secret which can be shared with the receiving set-top box 113. This secret is 
preferably>art oVall^ 

25 •'- die rest of the ECM' lW. i? Tne ; CW 202 is always encrypted before being seni along with 
the! other part^ of tne ECM tS r MUX 200. This encryption is preferably a symmetric 
cipher such as toe^ripfeDES algorithm using two distinct 56-bit keys (whicfitaken 
'together comprise MSK ^S): 1 ^ " ! " ~ 1c ' ' ''' "' ' ; " 

30 The MSK 2Q8 has a.longerilifetime than GW 2G2v The MSK lifetime is typically hours to 

: < , ■ . days in length. MSK 208 cis bolh.enciy.Rted and digitally signed by MSK Encrypt & 
. Digital/Signature fimciiont206 before being sent to; MUX 200 encapsulated in EMM 111. 
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MSK 208 and other parts of EMM 1 1J are preferably encrypted; using a.public ke> 
algorithm, such as the well-known RSA algorithm, wth t a public key asscxciated wfth the 
specific set-top box 113 to which the. EMM is adijrejsspjl = . The.public keys of alL $et-top 
boxes 1 13 in a system 101 are stored in Public K<py Daja^Base.207. The public keys in 
this data base are preferably certified by a. certificate authority.,. The, digital, signature 
function in 206 is preferably the RSA digital signature method, although others could be 
used. In the case of an RSA digital signature, the private key which is used to, make the 
signature belongs to the entitlement agent within service distribution organisation 103 
responsible for authorizing the associated service. . t .... 

.J-.*-: j • *■ , . v: '- "l- '*i *. i. s.* • '»■«■>* *■»' ■■- " ; 



In FIG. 2B, the corresponding DHCT private Jeey and associated DHCT public secure 
micro serial number are stored in memory 232 qf decocjer; 2^ , P^Mic^ecure. micro serial 
number is provided so that demultiplexer 230 can, s^lg^t an, encrypted miUti-session key 
addressed to decoder 240 from transport data ?*reaijn (TT^S^. : E^prypte^multi-session key 
15 . E Kpr (MSK) is decrypted in deciyptor 234 using DHCX Pfiv^ Jeey frora r mempry t 232 to 

provide multi-session key MSK. Denuiltiplexer 230 ^ 4.*/ 
stream TDS encrypted control word (CW) r E^ K (£ W), Jhfy enc^tedJ^V^ is gyocessed in 
decry^tor 236 using multi-session key MSK as ihe ^eciyp^o^ J^^.to p^oyjd^ t^e } j£. 
unencrypted CW . The unencrypted J^W preferat^ .j 
20 . once every few seconds. Demultiplexer 230 also selects frqm transport, dat;a stream TDS v 
encrypted servipe (SERVICE). Theenqn^t^ 

using the C W as the decryption key to recover the unencryptf 4 service, . . „ t .? . 

^ . . r r » - - : . . ^ ' h^:«f?? scf iic ? fi^^lv/ ;^:>t*2 r!.ii'^ 

Detailed Implementation of the Encryption System x>f FiG« 2: FICi. 3 m r - , 

25 FIG. 3 presents more details about a preferred implementation of s^ten^^FIG. 2. 

Encryption/decryption system 301 haSjtwq % n^ai^^omi>oner^: ^.§p(fpe origination 

component 305 and service reception com^nent 333^ Tlje ^fi- # are. 4 CQnneptedT^y a 

transmission medium 331, which may be any mediunj v ^ 

service origination component 305 to service reception component 333. Service reception 
30 r > component 333 is implemented in a. set-lop =box; termed hereinafter' a-dfgital home 

commiinications terminal (DHGT). It may, ;hov^ver*eai^embnb^ any device which 
hasithe T^eQessary computation power, for exam^tej a personal computer or work station 
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or an "intelligent" television set; In the service origination component, at least the portion 
labeled 306 is typically imptenfented in equipment located at the head end of a " 
broadcastihg system such as'a^cable television (CATV) or satellite TV system? Ifi some 
} embodiments. K^wever, 1 thd : h'ead ? ehd may be provided with aiready-encrypted Instances 
5 *<* of the service. The remMhing : pfoitioA 308 may also be located at the head end, but may 
also-be located any where whidh^has' icces^ of some kind to tifeaii end 306 arid service 
reception xbmporient 33 J; -The latter is particulaily th^ 5 case ( if the EMMs are sent out of 
band; for' example by^ 

transmission medium may be storage media, where the service origination point is the 
10 manufacturer of the media, and the service reception component may be the element 

> J - : which reads the storage media! For example, the transmission medium can bfe a CD- 
ROM, DVDi floppy disk; orariy other medilim tfrat can be tr^sfeired, physically, 
- deetrohicaHy\ of othenvise: - - * ■ '■ L - 

; ^ t j, , : } r - T"7. V7 2.. ( • '' . . .1.; . * j: ' 

15 Beginning with service origination portion 3b5Vraftdbm number generator 307 is used to 

t'<* ~ generate MSK 309. Nbxt^ah EMM-3 1 5 ; cbritairiing MSK 309 and related infbrmation is 
produced. EMM 315 also includes a sealed digest. The sealed digest has two j^uiposes: 
to ensure that the information placed in EMM 315 by service origination 305 is the same 
- information 'that arri ves at DHCT 3 3 3 and to ensure that the information lias in fact come 
20 from an entity whichi^ empowered to give access to the service: * - 1 

- f he seklfed digesris made inH wo stages: first, a digest of the EMM's cbriterits (here, MSK 

- ;r r arid the rMated i^ by hashing the* contents in a secure one-way 

" i -h^Tifurie^^^ string. TKd s^ctife one-way Irasti function 

25 has three properties! '-■■yC-^-' r - - • ' ^ 

tHe-cbhtenS fti^t^ere hashed'to prodifc'e'the shbrfbit string caririot'be' 
; - determined from* the Short bit 1 string; arid * . ^ . : 

1 - 'any 'change in' what is hashed produces a' change in the short bit spring; and 

~ ; ; • ? it is coniputatioriall^ a different message which 

30 •'■ prodtifces the 'iamelsitoh'-bit string afc the EMMi 

> The short bit stririg diitjDUt of the; hksih 'ftinction can thus fre used to determine whether the 
' contents of the EMM 'have btfartgecf in trarisit without disclosing those contents. "The 
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preferred embodim^t uses the Message Digest: 5 one way hash function, as indicated by 
the notation MD5. For details on pne-way hash foru^q^^ see : t^e §chneier reference, 
supra. The digest i§ a sealpd digest becauseit je^pyyptejc^ ■ with : a private l$ey SP . Kr 3 1 0 
, .belonging to the ejtfitlement agept (EA) Aath^,t|Le right tOcgiye the DHCT jaccess to the 
5 . , service for vyhich th£ NtSK is used to produce v JheJkey. ge£prerthe sealed,digest can be 

t _ us^d to che$k whether tl>e EMM jy^jran^rot^ b^ depjypted. using the 

, , . entitlement agent's public key. The sealed dige^ t thu^confnms.to 5 the DHGTbot^ that 
the contents of the EMM ha,ye, been transmitted; (jprrpctly, and that the. source qf^e EMM 
is the entitlement agent. , . Xii ^ fP n 1 ...\ f; :< r< ... Pi 

10 .tv^ . . " z * *. jar;: V'- n! ..-**t. . 

: Gnc&tfie sealed digest is jpade, the contents of the p4M r (here 0 MSK 3Q9and th$ related 

information) are er^ryptgd with the pu£li$ key DHCXKujJlZ of the BfiGT 333 to which 

EMM 3 1 5 is addressed and EMM 315, containing the encrypt cqntents.and tji£ sealed 

digest, is sent via transmission medium 33 1 to the DHCT 333. In the following, the — 

15 notaUon A> is use^ to indicate a private ke^ 

. 7 notation JISA indicates that the en^ption is f <iojie using t)^:,we^knp>^<RS A public key 

T As shovjjn in DHCT 333, ?MM 315 can only be deprypte4by 4 the DJgCT:?^ yfoost 
20 private key 337 (DHCT Kr) corresponds to t^c^ublic ke^ used to eijcrypj: EMM 3 15. ; 

DHCT 333 decrypts EMM 3 1 5 and uses the sealed digest to determine whether the EMM 
315 wa$ correctly transmitted. The, determination is.m^de^ j^ing pybliq lcejy.$ip Ku 335 
for the entitlement agent tp deciypt^the sealedjdig^^; rT^&J^}^^ 1 5 are 

hashed using the samesecure pne-way hash function that ,was,44?e4* tc > make the,digest. If 
25 the results of this hash are identical to the decrypted sealed di^^ ^e detenninatipn 

succeeds. The check with thejsealed digest wjil| faij t^jasijii^sipn to«the DHCT 333 
was corrupted in transit, if DHCT 333 dp^ s ^o^ha^ tte pqvate- ke)5 corresponding to the 
public key used to encrypt the EMM (Li?., is not the DHCJ 333 for which (i EMM 315 was 
intended), or if DHCT^ 333 does not ljave public. jkey 334 (SP.I^vi), corresponding to the 
30 private key of the EA that was used to makp the seaLecj digest. The latter will be the case . 

. if that DHCT 333 has not been given ^ ^cc^ss^p ^e^i^s. provided ,hy the entitlement agent. 
EMMs 315 addressed to DHCT 333 are sent repeatedly; cpnsequently^if the problem was 
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corruption in transit; an uricorrupted EMM 315 will be received shortly and the 
determination will succeed. How DHCT 333 comes to have SP Ku 335 heeded to decrypt 
the sealed digest will be explained in more detail later. 

5 Th6 next stage in service origination 305 is generating control word 319 used to actually 

encrypt service irikarice 3^5 and generating ; the ECM 323 which carries the information 
heeded to decrypt the semce'iiistiance to DHCT 333. The control word 319 is generated 
by random number generator 3 17. This can be a true random number generator, whose 
output is the result : of some basic underlying random physical process, or some other 

10 means, for exampie, the result of encrypting a value, called a "counter" (which increments 

by one' after each use) with 3DES, using the MSK as the key . In the case of a true random 
' number, th6 encrypted control word is transmitted in the ECM. In the case of the counter- 
based control word generation, the clear version of the "counter" is used hi the transmitted 
ECM. As mentioned above, the control word is a short-term key, i.e, it has a life time of a 

15 few seconds or less. Included in the ECM 323 isa digest of the contents plus the MSK 

- which is made using flie M£)5 one-way hash jiist described. The inclusion of the MSK in 
making the digest gives the ehtftlemehf agent to which the ECM 323 belongs a shared 

- secfef with ttie DHCTs 333 that are entitled to receive service instances from the 

entitlement agerit ahd consequently prevents "spoofing" of ECMs 323, that is, provision 
20 of EClVte 32 3 from a source other than the entitlement agent. As will be seen in more 

detaillater, the preferred embodiment "uses the shared secret technique generally to 
authenticate messages which contain messages that have real-time value with regard to an 
instance of a service. 

* ECM 323 is sent together with encrypted content 329 to DHCT 333. The first ECM 323 
25 for a given portion of encrypted content 329must of course arrive at DHCT 333 before 

the encrypted content does. In the preferred embodiment, content 325 and ECM 323 are 
Encoded according to the MPEG-2 standard. The standard provides for a transport stream 
which includes a number of component streams. * Some of these carry content 329, 

- another cames thd'ECMs 323, arid a third carries the EMMs 315. Only the streams 
30 canying content 329 are encrypted according to DES 329; since the control words in 

ECMs 323 and the contents of EMMs 315 have already been encrypted, no further 
encryption is needed when they are sent in the MPEG-2 transport stream. The manner in 
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which EMMs and ECMs are transported in .the MPEG-2 transport stream will be 
described in more detail later. . , * 

When an ECM 323 is received in DHCT 333, control word 319 is either decrypted or 
found by encrypting the counter value at 343 using the MSK. The integrity of the 
contents of the ECM 323 is checked by comparing the. v^lue resulting; ftpm hashing the 
contents plus some or all of the ,MSK ? (based on cryptographic principles) in the; one-way 
hash function with the message digest contained in ECM 323. Included in the contents 
are control word 319 and information identifying the service instance. 32$ \yhich ECM 
323 accompanies. The identifying information is^used together with thie Authorization 
information received with EMM 315 to determine whether DHCT 333 is authorized to 
receive the service instance 325., If it is. control wond 319 isjused in service decryptor 347 
to decrypt encrypted content to produce original content 325. 

■;**c i :>.:, * * - *.>:. ' v. bv • .vit'O ' 'i-.A .t-vooj os: «' Tr.-^i ' ^ ■ _ -: 5 - 

15 System 301 offers a number of advantages with regard to security .. It takes adygntage^pf 

the speed of symmetrical encryption systems where that is needed to decrypt encrypted 

content 329 and the control word in ECM 323. The control word is protected by 

encrypting it using the MSK, and ECM 323 is authei^icated bousing spme or. all, of MSK 

309 as a shared secret between the entitlement agent and DHCT 333. MSK 309 is 

protected in turn by the fact that it is sent in an EMM which is encrypted- using the 

DHCTs public key and by the fact that the EMM includes a sealed digest which is 

encrypted using the entitlement agent's private key. Fisher ^sec^ the 

fact that service identification information from ECM 323 must agree with the 

authorization information received in EMM 315 before control word 3 1 9 4s provided to 

service decryptor 347. For example, as described in detail in the Ranker and Akips parent 

patent application 5wpra f one use of the information in ECM 323 and, EMM 315 is to 

prevent what are termed "replay attacks" on the encrypted services. In addition to being 

secure, system 301 is flexible. The authorization information contained in EMM 315 and 

the service identification information contained in ECM 3£34ogether permit a wide ranee 



20 



25 



30 of access to service instances received in DHCT 333 



~ ? • r* 



15 



SUBSTITUTE SHEET (RULE 26) 

BNSDOCID <WO 990715OA1 I > 



WO 99/07^50 



PCT/US98/16145 



15 



Dynamic Provision of Multiple Entitlemerit agents to DHCT 333: FIG. 4 
The ixse bf the sealed digest 1 iri'EMM 3 1 5 'means that DHCT 333 will not respond to 
EMM 31 5' unless it hds'a pu£lit key fdr the eftfitlemerit agent that has the power to give 
entitlements to the seVvice tb fee dkcrJpM by the MSK in EMM 315. This is part of a 
5 - broader arrangement which DtiCf 333 with one 

or more eiltitlemeht agents arid to 1 dynamically remove provided entitlemerit agents from 
DHCT333rV T • /: ^' : "-- : .0;»r\^::r " ; - - r - • 

The entity which provides arid rembvies entitlement agents is called the conditional access 
authority (CAAf)! Tlie arrarigeibeht fiorther permits entitlement agents that have been 
10 ' provided to' DHCT 33 ! 3 to dynMriiidally modify their authorization information in DHCT 
333. All of the irifbimationTieeded to perform tliese operations is sent via EMMs, with 
the sealed digests being used to ensUre that only the CAA may add or remove entitlement 
agents and that only the entitlement agent to which authorization information belongs 
- may modify th^ ' 



: The abo ve arrange 

"* - ; It pe^fts''dyn^iH Addition and removal of entitlement agents"' 

' - • "'Ttpfu^4i£i&"dn* , &ft 4 ^vices to which an entitlement agent may grant 
20 : j 1 entitlements! but otherwise permitis entitlemerit agents to manage their own 



kuthdriatidii iri^rtrikibn: 



-.-rr 



J • It sepirates'the business of providing entitlements to services and service 

u ' ' J 1 *°1ristati<^ of actually providing instances of the'service; 

r.i ,v wutu may simply run as a distribution utility. 

25 • It separates the business of giving an entity the right to be an entitlement agent 

from the business of being an entitlement agent, 
t ; " 1 It provides mi easy way of permitting a customer to change entitlement agents 

• "It provides a secure arrangement whereby a DHCT 333 may communicate by 
30 meairis of a reverse path withfan entitlement agent, a conditional access 

authority ,or potentially the provider of the instances of the service. 
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FIG. 4 shows how the arrangement is imj>lemen|e.d in, a p?eferre$l embodiment. FIG. 4 is 
best understood. as an extension of FIG. ri 3. , BothJF^}., ^, and FIG. 3 hayetthe samemajor 
components: service origination 3Q5. D^CT 333* and transmission medium 33 1 for 
coupling the two, further, encrygtor 313 an^dec/yptgr 339 are usedjin^both figures. 
5 , Moreover, as indicated by reference numbex.SQ^the EMMs, may be either sent together 
with a service instance or by another channqj, ^I^.^ftirthe^ shows ^additipnal 
component of DHCT 333, namely EMM manager 407. EMM manager #07 is , 
implemented in software executed in a secur<? ^ pr^ces^pr in^HCX 333 ., T^ie task of EMM 
njanager 407 is to respond to EMMs which 344 r pr reipp\££i}title^ent agents and, to 
10 ' _ . EMMs which modify the authorizations for an, ^p|lement agent -EMM man^g^r 407 
further provides messages by means of which DHCT, 333, may ^ommuqicate with an 
entitlement agent or a conditional access authority. >t -.-^i.-, , 

. ... ^ . j • \. • ; : :vv " . .\> 'n^r.sir.* ^ :i ? j\o*i\A2 - 

Initially, EMMs that modify an entitlement age|)Ks.;a$^^ 

15 response to modification information 403 provided by the entitlement agent or required ? 

by the network operator. As shown ait 313, the pi^jiifi^ encrypted \ v 

using the public key 3 1 2 for DHCT 333 and h^§ a ?e|al^d dig.est > tj|at i is r enctypted using the 
private key 3 10 for the entitlement agent. /The jpultji\g ^u^oj^^Uon modification EMM 
405 is sent via transmission medium 331 to decryjp^ where it is t* 

20 decrypted and checked in the manner described above fp^ ElyJMs 3i ^containing an MSK. 

The EA modification information 403 contained ir^ to EMM 

manager 407, which uses the information to modify the §^thpqzation ijifojjnation for the 
entitlement agent in DHCT 333. Examples of mocfjf^ or canceling 

services provided by the entitlement authority and changing tjie conditions under which 

25 access to instances of a given service will be granted. 

As indicated above, the sealed digest is encrypted using Ae priyate^ey of the entitlement 
agent. Consequently, the validity of the EMM can pitfy be determine^ if DHCT 333 has 
the entitlement agent's public key. The public key for ;an entitleipien| agent is provided to 

30 DHCT 333 by an EA allocation EMM 413 from a conditional acce$s authority. EMM 

•; , . v i. :• :.M \: ' /: * f ;r s :; $ > ' • ^ 

413 contains entitlement agent allocation information 409 from the conditional access 
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authority; at a mhiimum, entitlement agent allocation information 409 contains the public 
key for the entitlement agfent; it may also contain information about the amount of 
"memory an entitlement agent ma^ hiaVte in DHCT 333 and about classes of service that an 
entitlement agent may offet; Fdr j exarhple, the entitlement ag^nt may riot be permitted to 
5 offer interactive services, information 409 is encrypted with the public key 3 1 2 of DHCT c 

333, and the sealed dige;stis enc^pted with private key 41 1 of the conditional access 
authority. 

In DHCf 333, EMM 41 3 is' idebrypted' using' private key : 337 belonging to DHCT 333 and 
10 the sealed digest is decrypted using CAA public key 415: If th6 digest fconfirms the 

correctness of the contents of the EMM, EMM manager 407 allocates storage for the 
entitlement agent whose public key is contained in EMM 413. That done, EMM manager 
407 : pla!cesthe entitlertierit ^ajgeiit ? k J jJublic key in the storage. Th6 storage provides a place 
to store the entitlement 'agent's publicity, the authorization information for the services 
15 and service instances provided by the entitlement agent, and the MSKs provided by the 

entitlement atgerit. Once DHCT 33 i ; has the entitlement agent's public key and storage for 
the ehtitleritfe^ MSK, EMM manager 46? can 

respond to EMMs from ffie entitlement agent. Of course, in order to decrypt the sealed 
digest,' DHCT key 415 for the conditional access authority; As will 

20 ' be explained in mbire detail later on, in a preferred embodiment, public key 415 and the 
public^and private keys^^ in DHCT 333 at the time that DHCT 

335 isrh^tiifact^red. '** 



When a customer orders a s^vice, the arrangements just described interact as follows: 
25 1 . If the service is provided by an entitlement agent for which the customer's DHCT 

333 does not have'thk public key, the conditional access authority' must first send 
1 EA Allocation EMM' 4 1 3 to DkCT 333 ; EMM manager 407 responds by 1 
allocating storage for the entitlement agent Only the conditional access authority 
cah send EA flotation EMM 413, and consequently, the conditional access 
30 authority (CAA) 1 can Control acdess by entitlement agents to customers of a 

, parti cular service 'distribution organization. 

1* 
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2. , If D^CT 333 has the ; entitlement ,ageiit ' s flwblic key, either because step ( 1 ) has 
just been performed or was performed. at son^e.time in the past, the. entitlement 
...... . r x agent sends, modification EMM 405 }vith ite authorization information for. the 

\ - newly-ardereid. service or sejtv^ 
5 : r , . ; responds thereto by stpring the authori^tipn information in the allocated; space. 

3 . , Once step (3) is done, DHCT 333 can receive gMM 3. 15 with the MSK fpr the 

service from the entitlement agent. EMM manager 407 stores the MSK in the s 
allocated space. 

4. -. y When the actual service instance is^eptjt is accompani.ed.by ECMs qontaining 
10 r , . the current control word. The MSK is us?d to decryp^tjie ECMs and the control 

. ; : . wor^s obtained from the ECMs are used to decrypUhe. instance of the^seryice. 

The above use of pMMs and ECMs to. contrpl aqces^t.o in^nce^ of a serviceihus 
c . guarantees .that no entitlement agent will h^ye #£ces? tQ DHCT 3.33, without permission of 
1 5 • the^ conditional acces? authority a^d that.^o DyCT^^^w^l hav^ac^ess^to pi instance of 
, ^ a service without permission of ^ 

possible for the entitlement agent to be in copiplete control ofjh^sery^^ the 
. tj! service is defined by the EMMs 405 and 31,5, an£ ^ese^may ^sg^ii- ^pfrt^e ^titleipent 
;Kv . t agept to DHCT 333 independently of the semce^ is 
20 ^ y the entitlement agept which provides t^e MSK us^^p g^prate pp^trol Wfir^and decrypt 

. r lhe ECM to both the service distribution prganizatipn-and DHCT 333. Indeed, if the 

entitlement agent wishes to do so, it can itself provide encryptf d^^t^^s^Qf the^services 
to the service distribution organization, which* in such a case, merely functions as a 
cpnduit between the entitlement agent and DHCT 333. , 
25 . f . 

Secure Transmission of Messages via the Reverse path 

FIG. 4 also shows how the, techniques used ta ensure ^security of EMMs are also used 
„ to ensure the security of messages sent from DHQT 333.. The example shown in FIG. 4 is 
a forwarded purchase me*>sage (FPM). The forvfardecl guj-chase mgss^ge is used for the 
30 interactive purchase of an instance of a service, Qne example of such a purchase is what 

is called impulse pay-per-view * orlPPV. In such a system, the ^eginningof an event, for 
example, a baseball game* is broadcast generally and customers can decide whether they 
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want to see all of it. In that case/they must provide input to DHCT 333 that indicates that 
they wish to see the entire event. EMM manager 407 responds to the input by making the 
FPM and sending it' to the entitlement agent so that the entitlement agent can charge the 



Customer for the dvfeht and send ah EKttvl 3 15* confirming 4 that DHCT 333 may continue 
5 to decrypt the event. The information needed by the entitlement agent is forwarded 

/ i^titl^^Vih&nnatiori ( 4t7; to ensure" the privacy of the customer, this information is 
"encrypted' using the 3DES algoritiim with a key 420, as shown at 343, to produce 
encrypted forward entitlement Info The key 420 is composed of two 56-bit 

DES keys/ TTieibfe^ encryption operation is'a sequence of three DES operations: 
10 encryption using the first DES key, decryption using the second DES key. and encryption 

using the first DES key Then key 420 is encrypted using the public key 335 of the 
entitlement agent' and the sealed digest ismade using the private key of DHCT333. All 
of these parts together make up forwarded purchase message 421. which is addressed to 
the entitlement agent. 



At* the entitlement agent, key 420 is'decrypted using the entitlement agent's private key 
310, and the sealed digest is decrypted using We public key 312 of the DHCT If the 



„ "Encrypted Forwarded Entitlemeht Information (EFEI) 419 contained in the FPM 421 is 
determined notto have been tampered with^ it is passed to 3DES decryption 443. which 
20 decrypts it using key 420 arid provides forwarded entitlement information 4 1 7 to the 

entitlement agent. As'will be immediately apparent, the same technique, with or without 
the 3 DES encryption of the contents of the message, can be used to send messages to any 
entity for which DHCT 333 has the public key. At a minimum, this includes the CAA 
and any entitlement agent which has been allocated memory in DHCT 333. 

Authentication of Global Broadcast Messages 



A global broadcast message is one which is not addressed to any individual DHCT 333 or 
to any group of DHCTs 333. In a preferred embodiment, global broadcast messages 
accompany mstances of services and contain information that is relevant to the instance 
they accorhpany. Consequently, the encryption and authentication techniques used in the 
global broadcast messages must permit rapid decryption and authenticity checking. One 
example of a global broadcast message is the ECM. Other examples are the different 
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types of global broadcast authenticated messages, or GBAMs. As with ECMs, it i$ 
necessary to prevent global broadcast messages from being spoofed, and it is done in the 
same fashion as with the ECMs. More specifically n the digest i? macje usipg spnje or all 
of the MSK together with the cpntent of the global broadcast message, ^he MSK thus 
5 functions as a shared secret between ]the entitlement agent and DHCT S3 3. When EMM 

manager 407 receives the global message, it makes a digest using the contents of the 
received message and the MSK and responds to the received message, only if the dieest 
agrees with the one contained in the message. An advantage of usine a digest made with 

the MSK to authenticate the global broadcast message is that, the digest may be both made 

•.. ru- - K ! -v.? i.v.u/:, »> ; n.'j- ::>•*. { r. ;T I ? . v/j -Mt 

10 and checked very quickly. _ 

■ ■; ■ - -) * .... rs „. f • v .\ " 

Implementation of the Conditional Access System in a Digital Broadband Delivery 

System 

... b.j£?: ;• ' ; - ^ 5 . '.-!i3/u.;:ja io: r-.-3TC >. i r.:q - rid, "■ ) . 

The foregoing has described the conditional access system in terms of ECMs, EMMs, and 

15 other messages and in terms of the manner in which the messages and their digests are 

encrypted and decrypted. The conditional access system as just described will work with 

any communications arrangement which permits an instance of a service to be delivered 

to a DHCT together with ECMs and other broadcast messages and which permits the - 

DHCT to receive EMMs from a conditional access authority and one or more entitlement 

u ),n * ''■ r - .ic. * .3 i«i j» .« us :r.;£ v ■ ?s ; i^cn 01 iu r b'*a : 

agents. The conditional access system is, however, particularly well-suited for use in a 
r.iko: ' '* ■ '- «" ■ - • "I ^^f-'C-.c Ji-- "-tm r 

modem digital broadband delivery system, and the following will describe how the 

rLi v v • ./.i'- *- • ir ' ;: * ' » -^vrcr:: si: :t:v. -A i.T*'jc i* « ;..v 

conditional access system is implemented in such a delivery system. 

/;v: r J ■ ~< "< ^ ■. • • ; ^ r I: ■ r.ymoo cX* ;o n^O.-ivf -n^ ':.aClc v::, 

AaC • *■ *•*';. :• .! .'i i- :*n :rt . rui :j. ei»x TOHG rfoiiiw:/'/; vihj;:- 

Overview of the Digital Broadband Delivery System: FIG. 5 

25 FIG. 5 provides an overview of digital broadband delivery system (DBDS) 501. DBDS 

501 includes service infrastructure 503, a headend 515, a transport infrastructure 517 
hubs 519 (0 ... n), access networks 521 (0 ... n), and Digital Home Communications 
Terminals (DHCTs) 333. The service infrastructure consists pf Value-Added Service 
Provider (VASP) systems 509, which are systems that proyide services to the broad band 

30 delivery system, the Digital Network Control Systein (DNCS) 507, which manages and 

controls services provided by means ot DBDS 50 h the Administrative Gateway (AG) 
505, which is a source of service provisioning and authorization information in DBDS 
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501, Network Management System (NMS) 5 I I , which maintains a database of system 
status and perform^ce J ihf6rmation, and the Cote Network 513, which interconnects other 
Service Infrastructure 503 components with headend 5 1 5. In a preferred embodiment, 
Core Network 513 consists of ATM-based switching and transmission facilities. Headend 
515 provides an interface* between service : infrastructure 503 and transport infrastructure 
5 1 7. Transport infrastructure 517 provides a high-bandwidth interconnection from 
headend 515 to hubs 519(G?.h). ^abh hub 519(5) serves an access network 521(i), which 
consists of hybrid fiber coax (HFC) nodes 523 connected via a coax bus network to 
- DHCTs 333. A given DHCT 333 (fc) in DBDS 50 i thus bdongs to an HFC node 5320) 
in an access network 521(i). Transport infrastructure 517 and access network 523 may 
provide only a forv/ard channel from head end 515 to a given DHCT 333(k), but 
preferably provide both a forward channel and a reverse path. Each instance of a DBDS 
501 generally provides seh/itfe : to ; k metropolitan afea. 1 " ; 1 

DBDS 501 can be implemented in a variety of configurations to fit the circumstances of a 
particular service environment. For example, headend equipment may be deployed 
within headend 515, within a hub S\9(i)\ or as part of a VASP system 509. DNCS 
components 506 may be deployed within headend 515 or distributed among the hubs 519. 
Transport infrastructure 5 1 7 may utilize SONET add/drop multiplexing, analog fiber 
technology, or other transmission technologies. 

Overview of tfi'e Coriditiona! Access System: FIG, 6 " l * 

FIG. 6 shows the components of a preferred embodiment of conditional access system 
601 in DBDS 501. Conditional access' system 601 is a collection of component T)NCS 
507; h'eadend r 5 J5v anci DHCT 333 that togetheir provide security and conditional access 

' -services*. * — ,j ■ 

The cbmpbnerits'bf coriditrohai act&s System 601 ''perform the following functions: 
17 encrypting the service content 
- 2. - ericrypting'the control words used'fbr service encryption 

3. authenticating the ECftli that contain the encrypted control words 

4. passing the E&Ivlis to 5HC¥s J cU - v: 
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5. managing a subscriber authorization database . .... / j. - 

6. \ encrypting and authenticating, EMMs containing subscriber entitlement , 

information * .. .... , - . 

,.7 V Passing the EMMs to DHCTs ,^.> rf,* -, 0 r -, K : - ;i - ... y . . ; 
5 8, , decrypting the EMMs. and chec&ngJlieir : 

9. responding to the EMMs by, modifying entitlement infomiation in the DHCTs 
H> ^ 10. responding to the.ECMs by authenticating tlie^d«iyiitmg a .the control word, and 
checking entitlement at DHCT 333, and ^- . K ^ ^ L; : K . \. • • *k 
. . 11. *f l ^c LCM is authentic and the authorizations pe^it^^ecrypting the service 

10 . conle P l - >. > ; . : v * :r.^hov- 4 

These requirements are njet by the following .components of conditional access system 

Stream Encryption & ECM Streamer Modules 62p : in head end,5 15;, ? 
Control Suite 607 in DNCS 507; 
15 , I. Transaction Encryption Device 50£ in hpad end 5 15,. with secure link to DNCS - 

* ■ ; :. >V '.3 u> * : " '5 r^i:::: 'r.-:;.. :vt^ -v..*^--.; - 

II. Service Qecryptor Module 625 in DJHCT }33; v . ; _-v^.y ; 

III. Security tyanager Module 626, in DHjp^^:,twd. «■ ^ - ; 

FIG. 6 depicts a typical configuration of these components for securing digital services 
within DBDS 501. In the following the ?Qinpf>nent£ ip^piore, detail. 

^ v ^eryice Encryption 3t ECM Streamer Module 6£(K . ; r ::ci cZ) (0c ni I^c 

25 Service Encryption and ECM Streamer (SEES^fnodde^O^ axpmponqyHof QAM 

Modulator 619 that operates under direction of control suite 607 to encrypt tfye MPEG-2 
transport stream packets that arj^ef^ployed.in the pre^^d,embp4iment to transmit 
service content 325. As shown in FIG. 6, se^ice^ont^nt 325 m^y, be received from 
sources such as a digital satellite distribution system 613, a. dig^al terrestrial distribution 
30 system 61 1 , or a media server 609. Mpdi^se^-r^OJ^fn^y. ^e ; connected to head end 515, 

by a broadband integrated gateway 615. SEE^2ai^es>^4SK 309 to generate the control 
words 319 used for service encryption and creates ECMs 323 for transporting the control 
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words together with encrypted service content 329 within the outgoing MPEG-2 
Transport Stream." SEES'620 encrypts the control words in the ECMs 323' with MSKs 
309. The MSKs are generated by TED '603 and' are sent to SEES 620 in encrypted form 
in EMM-like messages. : ' A lT--' : ? • - ' - '"- ' ■ ' " 

.: •. '': "<.;:.- .:**':■£ \u -u- • i ' ■ ■-.•'!< ..I r-: 



J .i J i 



• DHCT 333 ' 
DHCT 333 is connected between the HFC network 521 and the customer's television set. 
DfiCT 333 receives and intefprets EMMs, ECMs, and GBAMs and decrypts instances of 
services. DHCT 333 further provides the customer interface for DBDS 501 and receives 

10 customer input 628 from the customer. In response to the customer input. DHCT 333 

r * T' r: « - r ■ ? ' i c \!C>*" "■ : r V- " - ~ ■* . ."!>*'.'.. 

may generate FPMs or other messages that travel via the reverse path to the CAA or to 

r- -,. ..'.--•<» v?;".-. ' '~ 1 ' ' ' " ' ' ■* 

EAs. In a preferred embodiment, DHCT 333 is implemented using a combination of 

; general purpose processors. ASICs, and secure elements (which may be implemented 

discretely or integrated). For purposes of the present discussion, DHCT 333 has three 

15 important components: service decryption module 625. security manager 626. and DHCT 

sedure elemenV(DHCTSE) Sll Service decryption module 625 is preferably 

implemented in an ASIC, and security manager 626 is preferably implemented in 

software. DHCTSE 627 is a secure element for performing security and conditional 



access-related functions. 



Service Decryptor Module 625 



Service decryptor module 625 is the component of DHCT 333 that decrypts the encrypted 
MPEG-2 transport stream packets. Service decryptor 625 receives the control words to be 
used for service decryption from DHCTSE 627. DHCTSE 627 controls, which transport 
25 stream packets are decrypted by only passing the control words for authorized services to 

service decryptor 625. 

* . ■ ■ '~i } - "t ' • i* o.* c"* ■ j - ■ { -v "r - C ' » : ■ f * • " * • ' • ' • — * - * ' 

Security' manager 626 

Security manager 626 is a software module of the DHCT that provides an interface 

■ : - . a - ; "3r!-o ui. * ; c:;^ t - ' -v^ ;i, : ; - 

between applications running on DHCT 333 which use the conditional access system and 
:■ ' - . • - • ". ; -:v;vrt '.■l.'V--? ; • ■ ~ ~ 

30 DHCTSE 627. It als6 coordinates processing between the service decryptor module and 

• / : . i..; /I:rr -iv :it;- * . - 

DHCTSE 627. 
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DHqTSE 627 ...... . . : .... . , , } . . 

DHCTSE 627 scores keys, interprets EMMs. and ECMsi.apd produces FPMs. With the 
EMMs and ECMs, it does the decryption and autljepjtication required for interpretation 
and with FPMs, it makes the sealed digest and encrypts the FPJ$. Xhus,; in the, preferred 
embodiment, EMM manager 407 is implemented in secure element 617. In addition, 
DHCTSE 627 provides encryption, decryption, digest, and digital signature servipe^ for 
other applications executing on DHCT 333. Secure element (DHCTSE) 627 includes a 
microprocessor and memory that onty the microprocessor, may access. Both the memory 
and the microprocessor are contained in tamper-proof packaging. In interpreting EMMs, 

■ .-oi' ..*'t ^ : v.. "i. y" T ' --{•■•'07, ."OrVVr v.- v - 2u 

DHCTSE 627 acquires and stores keys and entitlement information; in interpreting 
ECMs, DHCTSE 627 uses the entitlement information to deterr^ine.whether DHCT 333 

receiving the ECM has an entitlement for the instance of the service which the ECM 

- r. :>.:=..' T — ■ P T 'iG. . .?rni).:-df.- vrv?^' ■ -.^. i 

accompanies; if ft does, DHCTSE 627 processes the ECM, and provides the control word 

to service decryptor module 625 in a form that it may use, to decrypt or descramble 

-a*.- •. .;. >. ..*'.: . > . • t: w I-:- i .»u '■?£!■. : -inr " f; . 

services. DHCTSE 627 further records purchase information for impulse-purchasable 

services such as IPPV and stores the purchase data securely until the data is successfully 

forwarded via a forwarded purchasing message to control suite 607. DHCTSE 627 

• > m v., ■ ' .: . T : n' h . as ,\ ;;!S:TT3iqn:.. w . * . 

maintains MSK for the EAs, the private/public key pairs foj DHCT 333. and the public 

keys of the conditional access authorities and the entitlement agents. 
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Control Suite 607 

Control suite 607 is a member of the DNCS family of software. Control suite 607 

" controls the encryption of services performed by a SEES module 620 based upon input 

„ o) site. 1' • r.« s ,: ' • :l / 'V • 'r-' -xun'M nc:rai::r;; ^v>r 

from the DNCS broadcast control suite component. Control Suite 607 also maintains a 

25 database of subscriber authorizations based upon transactions received from 

■?j-;:v-v i-\ •- '•• ' - ' ? ' <J !'^f C - * '- : v>." .7 " : 

" Administrative Gateway 511. Control suite 607 generates EMMs for communicating 

subscriber authorizations and other conditional access parameters to the DHCTSE 627 

Control suite 607 acts on behalf of entitlement agents. The EMMs generated by control 

suite 607 for communicating subscriber authorizations and other conditional access 

30 parameters to DHCTSE 627 are encrypted with the public keys of the^DHCTs 333 to 

" which they are directed and are authenticated with the private key of the. E^, which is 

maintained by transaction encryption device (TED) 603. DHCTSE 627 maintains the 
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public key of the EA and u^es4t to Confirm the authenticity of EMMs generated by 
control suite 607 for the EA.' 1 ' 1 '• " ;C 

--Control Suite 607 furuier enables the'establishment of a conditional access^authority 
(CAA). Control "situte^^ene^es'-EA 'allc^tfon EMMs 413 which pass the public key 
of the EA & r a DHCTSE^27: These EMMs 4 13 are encrypted as described above, but are 

• authehticatedusahg a digi^signfftufe^niade with the private key of the CAA, which is 
maintained by TED 603. DHCTSE 627 is pre-provisioned with the public key of the 

•• CAA fdruse'in <»hnrriin^Hne n a^tfeiiti8ity these £MMs 413'. * * " 



10 



"'Communications between cdhtfOl suite 607 and the rest of conditional access system 601 
are by means of LAN intercbhn'ecf "devices 605 arid 6 1 7. Device 605 connects "Control 
Suite 607 to Administrative Gateway' SOs/ffoih whiclrit receives' the Wonnation 
necessary to- make ECMs ah^ EMMs, and device 6 1 7 connects it to the SEES modules 

15 620 in the QAM modulators and to QPSK modulator 62 1 and' QPSK demodulator 623, 

which are in turn connected to HFC network 52 L The connection between Control Suite 
607 and DHCT 333 via LAN interconnect device 617, modulator 621, demodulator 623. 
tind HFC netwdrk '52? impfernents the reverse path needed for messages such as FPM 421 
and also implements a forward channel to DHCT 333. This forward channel is 

20 independem-ofuieTfbrw»d : chliuiei-uiea to pro'vide'the services, lri conditional access 

system 60 L Control Suite 607'fcaSff sehd"EMMs or broadcast messages to DHCT 333 
either by the forward charihel just described or by sending them together with an instance 
Liov. i of aseWicfe^"' **t uss & • • - " "V • ■■ " . • ' : '• : * 

25 Transaction Encryption Device r 603 

Transaction Encryption Device (TED) 603 serves as a peripheral to Control Suite 607. 
TED 603, under the direcuort of'Control Suite' 607, encrypts and makes sealed digests of 
- various conditional ac^^sfeifilrhessages^ including EMMs. TED 603 may also 
1 .generate and store (MSKs) which' are Used by SEES 620 to encrypt the control words in 
30 • ■ : i ' the ECMs and to-decrypit the control words in DHCTSE 627/ TED 603 further uses the " 
- MSKs to authenticate me' global ^roadcastmessage class of conditional access system 
messages. Authenticatibri is dbrie by hashing the contents of the message together with 
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some or all of the MSK. TED 603 decrypts and ^verifies the authenticity of Forwarded 
Purchase Messages 421 sent from the DHCTs 333 as wejl as other messages sept using 
the reverse path. TED 603 maintains the private keys of the CAA and the EA and 
receives from the DNCS the public keys of the DHC;js from which it receiyes messages. 
5 As will be explained, in more detail below, TED §Q3. jpqeiye^the public keys from a 

source that confirms the authenticity of each key. TED 603 finally makes a sealed digest 
. for the EMMs using the private key of the CAA^d.EA ^.appropriate for the EMM. 

Using the Conditional Access System to Support Services and Programs Executing 
10 in DHCT 333 or Service Infrastructure 507 

^ The conditional access system can be utilized to secvjre the. provisioning of a service or to 
provide security services to programs executing. ,qn DHCT 3 $3 or programs in Control 

J *i .* . - * 

Suite 607. Secure service provision does not rp^iyje tjiat the.DHCT programs that 
support the service be secure. The reason for this, is jfoaj the -following may be done onlv 
15 by DHCTSE 627 inDHCT 333 or. by a TED 603: / - ; , . , 

• generation of the MSK; ' . . 

; < . .. .. .... .- * . * " 

• storage of the MSK; ' - , . , ■ - - t . 

... t ^ , _ , • storage of the keys needed to encrypt ^^J^f^}^J^ and to ip^Jce and 
check sealed digests; > bTB# , I0 . : iM „ . fw!c r: ; , v- . :> ,,,, 

20 storage of the entitlement infoqpati^^ 

r . 7 ... • .enW^on^d/ordec^ .r.-, 0f , , 

fl encryption or decryption of the b7B r;m 7/j . r:0 

• provisioning of the MSK to SEES module 607 and the deciy^tpd control word 
to service decryption module 625; 

25 • making and checking digests wi^^|i^e^s5ci^t^ !no r j it - u r . Je .^ nM 

^ • making and checking scaled digests;-. . 0 ; r . A ? fIC ; Jrv:: /lw , r , y 

• confirming that a DHCT £321 f£ entitled tg f reqe^ve ? $fYyice. . - ' 

A program executing on DHCT 333 or ^ prpgi^p. i^ copftol fuite 60X has no access to 
. any of the information stored in DH9TSJE : 627.qr JED^OS^^ .can thij3 dq .nothing with 
30 EMMs and ECMs beyond, ^kingDHCTSE 62J ox JED j603 r to ; genpi^te or interpret them. 

For example, when DHCT 333/ecejve$ ^^^M^apipl^ passes ,tl]e ElyiM to DHCTSE 
627 for processing; when it receives an ECM. it does the same; if the authorization 
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information contained in the ECU and stored in the DHCTSE627 indicates that DHCT 
333 is entitled to the service DHCTSE 627'pfbvides the decrypted control word to 
service ^dfecryptioh module "625: - - - r: •* - 

5 The conditional access system can also do security checking for programs generally. For 

example, a program executing on DHCT 333 that requires downloaded information from 
a server application may exp'ect that a seafed digest wis added to the inforination before it 
wis downloaded; arid th^ program may use DHCtlSE 627 td check thb sekled digest and 
' determine- whether the ^ informations 'authehticVb it is up to the program to decide what 

10 to do with the information when D&CTSE 627 indicates that it is hot authentic: 1 

Details of Messages in Go nditional Access System 601 ; ' / J v 

1 • In conditional-' access system 601 ; theECM. the EMM; the FPM, and the GBAM are all 
: different types of conditionaracbess messages. 1 The conditional access messages all have 
15 . ■ ■ w a commo ri format, namely a Header, the message itself, and a message authentication 
code,ior-MAG. : •■The--head^6ont^if« r the following^friformation: ' : ' q 

-^ ^ ■• ^ffieAype ©fthe messaged? whether it is kn ECM, EMM, GBAM, oi^ 
something else; r 
• the length of the message; 
20 ; ^ fi -' 

* ' ** "• * an identifier T6r tfie type bf security algorithm used with the message," ' 

■ -v including enCiyptibJi of the message and authentication of iits contents; and 
the length of the message content. ;: 7 ^ :u : :^ 

The header is fol^^ message knd the MAC, which, depeh&yon the 

25 message type, may fee a sealfecl digest br * : digest made with some or all of the MSIC 

togfetheTwith : •the'iriessage': - 1,1 - * ' ; " ? ' ym ' A - ^ ' : i: " r " r;rjr> 

' In digital' broWband-ieliv^^tetai 501,' CA ; messages may travel either in a NtfEG-2 
* data stream or in aniPipackfet, that is, a packet inade according to the rules of the Internet 
30 Protocol. Also, other transport' protocol^ stich as ATM may be used. In the preferred 

embodiment, messages from control suite 607 to DHCT 333 may travel in MPEG-2 or IP 
packets; messages from DHCT 333 to control suite 607 travel as IP packets on the reverse 
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path providedby QPSK demodulator 623 and, LAN interconnect device 6]7. In-general, 
messages to PHCT 333 which closely a^oci£^jd^^witt\ particular instances -ofservices, 
such as ECMs and GBAMs, travel in the MPEG-2 data stre^m^EMMs rt^ travel either 
in the MPEG-2 transport stream or as IP packets via LAN interconnect device 617 and 
Q^,ipodul^tor621. rt . T , :i _. Ml runrr « r ..r.: - ; 



10 
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jqA Mewgg^s in the MPJEGJ-^ Transport Stream: KIG.J, r - / : 

: ^ , HG. 7 is a schismatic representation of an. MP]^ : 2 ? transport strean) 7Q1. An^MBJEG-2 
transport str^^un is made up of sequence of 1 SS^^.k^g-ti^spo^^packe]ter703y The 
packets 703 in th,e str.eam cany information that* when, ccmbified ^tjDflGT; 333; defines 
an instance of a service and the access rights of a given DHCT 333 to the service. There 
are two broad categories of,infoiro^ioiy. prpgr^7Q^)V(Wp^?%^ information needed to 
5 . prp^yce the actual pictures .andjSounc^, and program ^efiifcipfpim^ipi^(PSI>71 U, which 
f f is information concerning jp^tters-such c^ hftwthe ^ \>p sent. acrpss the 

ne^wprk, how the prpgram 70£is packeti^d, and what fiata ; is use^tp^jmit access to the 
program 709. Each of these br^ad categories : 
example, program^ 709 may jpclude video informational s?ygral : <?h^ujels of audio 



information. 



.-.20f.- v.i:\- tiiunsl tii: 



Each transport packet 703 has^ packe^identifi^ or P^p ?c and ^H of the packets 703 that 
316 carrying information for a given subcateg^^ll.^ye^^fn^f Ig. Xhus. in FIG. 7, 
. the packets carrying Video 1 .all. hav$ £ID (a), and \he: packets fep^ojag^g to that 

subcategory are identified by 705(a). Si^Uarl^ r ,titje packe^ qagying ^dic^ 1 all have . 
„ n PID^b^and the packet^ belpngipg tp,th^t c^tegic^^^ 3f ;r 

subcategory .of information can Ausjje jdptified t*y-tl}e PIQ o|ijs packets... As shown at 
output packets 707, the output from mux 704 is a sequence, pf^QJiUgupus.rindividual 
packets from the various subcategories. Any part or all of MPEG-2 transport stream 701 
. inay be encrypted, except t{j£t packet headers and. adaptation* jpeWs^gg never encrypted. 
In the preferre^embodiment, the sets of packet^ .picking up prpgjam 709 are encrypted 
according to the DES algorithm* with the control word a^ r< a key r , 
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Two of the subcategories are special : those identified by PID t) (705(e)) and PID 1 
(705(c)) list the PIDs of the bther'packets associated with the service(s) and thus can be 
used to find ail of the iAfoxmatioh associated with any service. The packets in PID 1 
705(c) haVe as their contents a conditional access table 710, which lists the PIDs of other 

5 packets that contain EMMs.' One set of such packets appears as EMM packets 705(d), as 

* indicated by the arrow from CAT 710 to packets 705(d)! Each packet 703 in packets 
705(d) contains' private information, that is, information wliich is private to conditional 
access system 601 : As will be explained in more detail below, private information 713, 
for the piirposes of this invention, Vs a sequence of C A messages, each of which contains 

10 an EMM, arid private information 71 9, is a sequence of messages, each of which contains 

an ECM. : ; " *' y ' ' . ' ■ 

; V > i - . i r.'.i: . 

, The packets in PID 0 705(e) contain a program association table which lists PIDs of 
packets that are associated with a particular instance of a service. One such set of packets 
15 is program maps packets 705(f), which contain a program map table 7 1 7 that lists, 

v amongst other things, the PlDs of transport packets 703 containing ECMs for the 
N program: One such set of packets is shown at 705(g); Each of the transport packets 
contains privale iriforrnatiori 719, which in this case - is a sequence of CA messages, each 



of which contains an ECM. ^ 



FIG. 8 shows in detail how EMMs are carried in transport packets 703. The payload 
space 719 in the packets carries data from a CA_PRIVATE_SECTION layer 803, which 
in turn contains a sequence of CA messages 805, each of which contains an EMM 807. 
in the sets of packets 705(g) carrying ECMs, the control words in the ECMs are encrypted 
25 : -" using the 3DES algorithm with the MSK as key; in the sets of packets 705(d) carrying 
EMMs, the EMMslare enciypteH using the public key of DHCT 333 for which they are 
intended. As will be immediately apparent the techniques just described can be employed 
to transmit any C A message "805 as part of an MPEG-2 transport stream. 
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Mapping CA Messages into IP Protocol Packets: FIG. 9 

FIG. 9 shows how EMMs are mapped into the Internet Protocol (IP) packets used to 
communicate between control suite 607 and DHCT 333 via LAN device 617 and OPSK 
modulator 621 and demodulator 623. An IP packet 903^ is a variable-length packet that 
consists simply of a header and a payload. The header contains source and destination IP 

addresses for the packet. With an EMM, the source address is the IP address of the CA or 

vr}\ ■;- .- 1 »>.'* • .", c .... 'C ; • • Tj . ' i:v s ors i-ti: m 

EA. and the destination address is the IP address of DHCT 333. In the preferred^ 

embodiment, the IP address of DHCT 333 is constructed using its serial number. The IP 

-i . . ; . ' Ki>. . . < ■ c ->... ar/j ^ -r, ■■: . v.; 

addresses in DBDS 501 are partitioned by HFC node 523. The, payload of the IP packet is 
a packet 905 belonging to the User Datagram Protocol . (UDP) which has as its payload a 
CAJPRIVATE_SECTION 803, which in turn contains a sequence of CA messages 805, 
each of which contains an EMM 807. 

ECM Structure Details: FIG. 10 

:n i. .- . ■<■■ -~>.:r. i<;~ = : 

FIG. 10 shows details of the structure of an ECM 1008 and shows the mapping 1001 from 

,|; .. •• ' ;' • , ... -. :• -csfW/ .v~> • , - '■,<■ :r > r i: .. * ■ * 

an ECM 1008 to a set 705(e) of MPEG-2 transport packets 703. As before, the data of a 

- • . :' - i m'j -Ti io r.Ui-1 ; .z^m..: ' 

C A_PRI V ATE_S ECTI ON 803 is carried in a set of MPEG-2 transport packets 703 with, 
the same PID. The data is a header 1003 for private section 803, and a sequence of CA 
messages 805, each of which includes a CA message header 1005, a CA ECM message^ 
20 1007, and an ECM MAC 1013. CA ECM message 1007 and ECM MAC 1013 together 

makeup ECM 1008. 

FIG. 10 also shows how the control word is protected, in ECM 1008 and how ECM MAC 

101 3 is produced. The control word is a random value that is either encrypted using 

' ' tuqv^.v* ov, ; ■' jr. i. . " ' ! * • -f l^^'^V i^;;. ■ - i r° 

25 3DES encryption or created by encrypting a counter value using 3DES encryption, using 

the MSK as the key. In either case, the preferred embodiment calls for an MSK which is 

made up of two 56-bit DES keys, and the 3DES encryption operation is a sequence of 

three DES operations: encryption using the first DES key, decryption using the second 

DES key, and encryption using the first DES key. The control word, too, may have even 

30 or odd parity. As shown at 1013, the odd control word (after suitable encryption) 

becomes part of ECM_entitfement_unit_message 101 1 , and, in its non-encrypted form, is 

used together with some or all of the MSK as input to the MD5 one-way hash function to 
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produce ECM MAC 1013. The same procedure is used with' the even-parity control 
word. The contents other than' the control Word of ECMlentitrement_uhit_mess'age 101 1 
will be examined in more detail later - *•-■ • 

• ■ : T ••• : Wl-v-sr..' - ■ - •• -c • ;:• 

EMM Structure Details: FIG: ! J 

FIG. 1 1 shows a CA message" 805 Wmch ! contains' an EMM 1112. CA message 805 has a 
header 1 003, a CA EMM 'message' 1 lOl/and a sealed digest" I 103'. CA EMM message 
1 V0\ consists dfCA EMM message Header 1 105, EMM' message 1 107! and CRC error 
detection code 1 1 09? EMM message 1 K»7 in its wm t'dmains EMM header 1 1 1 3 and 
EMMJnsideldatal 1 15. EMMlinside_data 'l 15 is encrypted using the public key of the 
DHCT 33* for which it is intended. The data which is encrypted is 'EMM data 1 1 29, 
which in turn is made up of EMM_inside_headeri 123 and EMM command_data 1 125 
together with padding 1 127. EMM data 1 129 is also input to the MD5 one-way hash 
function to produce EMM MA'C V\ 19 and seated digest 1 1 03 is made by encrypting 
•EMMrsignihg_header 11 17,EMM c MaC : 1 if*, EMM_signing header lVlVVaha padding 
1121 with ; the pri vate key of either an entitlement a'gent or a Conditional access authority, 
^ 'depending on what kind' of EMM it is. * ' '■' ' : 

- • The EMM_sigmhg_headerisinf6!rmatioh from the EMM _insidei1ieader. This 4 

information is" particularly sensitive and is consequently encrypted by both the: public key 
of DHCT 333: for-privacy reasons', and the private key of the "entitlement agent or the 

I -c'ondltiohM-iccessaumlmt^ to apply aWgital signature. Upon reception! and 'alter the 
privacy decryption, if the signature verification fails, the EMM is discarded by DHCT 
333. Included in this information are an ID for the conditional access system, the type of 
the C A messageVihe serial number of thd microprocessor iii the DHCT's DHCTSE 627, 
an identifier for the •<?AA c b'r''EA which is &e"source of the EMM, an indication of which 
"of the thifepuBlle^eysTbr'tKe CaA in DHCT 33i's secure element is to" be used to 
decrypt the sealed-digest, and ah indication bf the format of the EMM. The contents of 
EMM commahd_data i ri ; 25^ will be explained in more detail in the discussion of the 
operations performed using EMMs: - - J - 
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Details of DHCTSE 627: FIGs. 12-14 r , ; / 

DHCTSE 627 has five main ftmctions m 

• It securely stores keys including the ^puhf^Q^d^rivate key^for PHQT 333, 
public keys for the CAA, public keys for EAs from which DHCT 333 is 
authorized to receive services, and MSKs>,prpyided Ijy ,thos§ ; , , ^ ; \ 

. • It securely store^pntitl^ment infopnatiqn sent by the EAs.,, ^, -\ 

• It decrypt?, aLuAenticates^ and .'rQsppn4s|o- : El^M^:;:i , ; • a- /i 

• It decrypt? tte control words jn the ECJVJs, authenticates the,ECMs, and when 
DHCT-333 is authorize^ to receive the service instance to, which the ECM 

10 . belongs^ it provides the control woi^ to ^sempe decryptpr 625. , 

r ; v . • 11 Rrovides encryptipn, decryption; and^au^entica^qn^ervi^^snp applications 
c-:. "i,r- ■ ■ mnnin ? Qp>HCT33V . M ; ,;, f , J/t/ ^ . > -rn < « • 

' ■■. . % ' . x-i ' ' < .'Mi. I . J, t.':! ; .:'v, .1'iv. ir. ' 

DHCTSE 627 includes a micrpprocessorXcapable of ^perfonqing : ^5S)< specialized 
15 • i l hardware for performing RSA encryption-and decryption,; and ^eeure memory .elements. ; t . 
-A*! ?f.^?? components of DHCTSE. 627 are contained a singje tamp^-proofil?ackage, 
such as a package that upon attempting to access ^e v inf9r^auon cpptained wijthjnithe 
information is destroyed. Only the components of DHCTSE 627 have access to the 
information stored in,the secure mempry element „ Any attempt b^a. user \<y gain access: 
20 ^ to any, of u|e parts of DHCTSE 627 .renders. DHC/TSJE. 627 unusable, and.ks contents 

^unreadrf)le. DHCTSE 627 may be an integral jja^.o/.DHgT 3,33, or it may Ije contained 
in a user-installable module such as a, "smart card'.'. : ThejUS^f : yposon^i^s"ithe ; DHCT 

"• q /i?/ 12.P«>vides an overview .of the components ; pf DHCXS^,^; As#hpwn,.the- 
25 r . . components of DHCTSE 62J are all. connected to.a bus 120^ JJegjnning,with; interface 
. Jv 1 l f the general purpose processor upon whjeh applica^io.ns execute-in DHCT 333, 
interface 1 203 permits passage of databetween the remaining components of DHCT 333 
. ^P^CTSE 627, buj does not permi? pomponents in r the remainder of DHCT 333 to 
address and read the contents of secret values, in memory-in- DHCTSE 627. i .r 
30 Microprocessor 1201 executes the code for doing ep^^p^Qn, deception, and i. : 

authentication and interpreting EMMs and ECMs; RSA hardware 1217 is special 
hardware performing the calculations involved with RSA encryption and decryption. 
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Membry 1207 contains ^tHe code'execiited by microprocessor 1201, the keys, and the 
entitlement information. In a preferred embodiment, there are two kinds of physical 
* memory in memory 1207: ROM 1*2 19; Which is re^d-only memory whose contents are 
fixed when DHCTSE 627 is manufactured, and non-volatile memory (NVM) 1209, which 
5 can be read and written like normal random-access memory, but which retains its current 

values when DHCTSE 627 is without power. Non- volatile memory 1209 is organized as 
a set of non- volatile storage ceilii(NVSCs) 121 1(0 n), as described in U.S. Patent 
■* * ■ 5,742,677, PindeJr, et ah; information Terminal Having Reconfigur able Memory, filed 3 
April 1995.-" '~ v ■ V ' 7 ^" :i * : ^ : ' A : J 

10 * n " • * ' v * " ■ ' ' v ,y ' : - 

As will be explained in gteatef detail below^ code executing in microprocessor lioi 
dynamically' allocates ; NVStsT2i 1 to entitlement agents. In the preferred embodiment. 
NVM 1209 vs used lor tHe^tolagerof information Which canble rewritten by means of 
'EMMs, and ROM 12 1 9 is iised for code which will not change during the life of " 

15 DHCTSE 627. • ' -v 

i : FIG: 1 ! 3 is aYchdfnatic overview of thfe' contents of memory 1207 in DHCT$E 627. The 
menibryik divided intt> two main paths: read-only storage 1301. which contains code and 
'cither infbfrriafidn that does ri6t { 'CFiange as a result of the interpretation of EMMs^ and 
20 NVA storage 1 303; which is nonvolatile storage that changes as a result of the 

interpretations of EMM?! KO'storia^ 130 remains codeTJOS. " ' * ' ' [' 

Code 1303 fallsf into four categories': code 1 3 07 for the encryption, decryption, and 
r authbnncationopVa^ons performed by'' DHCTSE 627, code Tor interpreting EMMs 1313, 

25 code for interpreting ECMs r l 321 , arid code for Tiandii'ng other CA messages such as the 

FPM and the GBAM ; &>aef T3X)7 include* code 1308 for the MD5 one-way hash" 
algorithmrthe code i 309 fof "the v RSA public key algorithm, and the code 13 1 i for the 
3DES algorithm: : EM"M l code 13 i3 falls into three classes: co'de 1315 whicK interprets 
EMMs received frdm'a conditional access authority, code 1317 which interprets EMMs 

30 employed by the entitlement agents to configure the storage allocation they receive from 

the CAA, and code 1319 which interprets EMMs containing MSKs and entitlements. 
Code 1315,1317 and 1319 thus implements EMM manager 407 in a preferred 
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embodiment. , The code for interpreting E(T^s. l321 ; ..dec3rypt3 the control word contained 
in the tCM and checks whether DHCT 333. is p^rrijitted to access the .instance of the 
service that the ECM accompanies; ,so v the. codp provides the decrypted control word to 
service decryption module 625. The cpde for Qthe£ CA messages lp23 deals ; . 
5 messages such as the FPM and GBAM. . r . , . 



NVA storage 1303 has two main comppnents^ administrative storage, 1330 and EA. 
f storage 1331. Administrative storage 1330 contains PHCTkeys 1 325,;CAA keys.l 329, 
and CAA data 1 330. Beginning with DHCT keys 1325, each DHCT 333 : has tw,o public- 

10 private key pairs. The public key of one of the pairs serves as the public key used to 

encrypt EMMs sent to DHCT 333, and the private kgy is used .in DHCT 333. ;to decrypt 
the messages; the private key of the pther.of the pairs is^usqd to.egciypt the sealed digests 
of messages sent by DHCT 333, and the public k^^^^by-ptherjnetwor^ elements to 
decrypt the sealed digests of messages received ^ro^ DHCT ^St ^The P^irs of keys are V 

15 installed in DHCTSE 627 when DHCTSE 627 is manufactured. c , ; , ; 

... In r a preferred embodiment, the manufacturer of PHC,T ,333 n^ai^ins^axgrtified, database 
which has the serial number of each DHCT together wit}} the.pah; of public k.ey^ „ ^ 
belonging to it. When a CAA or EA wishes to bjegiji sej^dijOg.^MMs^p a RHCT;333. it 

20 sends a message to control suite 60? with the seriaKnurnjxr of the^D^HCT, ..(^ontfQl suite 

607 responds to the request by requesting the public t k;ey fpjr^ejDHC'I] frorp a database 
maintained by the manufacturer of DHCT 333. The database responds to the message by 
sending control suite 607 certified c PP* e Ss,°f ("EfofcO 
manufacturer thus functions as the certification authppj^ jfo£ f t^J^ys. 0 ^ 607 

25 stores the public keys in a database of its own. For details on key certification, see 

Sghneier, supra, pages 425-428. Gerixp; ? th^ 

manufacturer has two advantages: first, it solve? the prpb|em of certify ingohe keys; 
second, because the public keys come from the manufacturer and not from DHCT 333, 
x there is no requirement in conditional access system 6Q1 ^t JQHQT 333. have a reverse 
30 path to control suite 607. . 

. ; . M- -r-sic, \r.\ ;h ;pv/ c> : £ t ': ?::--.. 
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CAA keys 1329 are publib keys for the conditional access authority. In a preferred 
'• embodiment, CAA keys f 329'mclude three public keys for the conditional access 
authority. These keys are originally installed; When'DHCTSE 627 is manufactured, but 
may be changed in response to EMMs, as will be explained in more detail below. CAA 
-data 1330 includes parameters ifeed by the' CAA in managing EA storage 1331, and maps 
which map NVSCs belonging to' particular entitlement agents to'8^bit names and thereby 
permit the CA& arid the entitlement' agents to manipulate the NVSCs 121 1 by name. 

Entitlement agent 1 33 1 has EA information 1 33 1 for each entitlement agent' from which 
DHCT 333 cohtaining'ElHCTSE 627 can obtain services. The CAA uses EMMs to 
allocate NVSCsT2i 1 for arientitlementagent and the entitlement agent then uses EMMs 
to set the contents of its 7 entitlement agent information 1333. 

FIG. 14 shows how NVSCs 121 1 are organized into EA storage 1331 in a preferred 
embodiment. There are two kinds of NVSCs 121 1 : "skinny" NVSCs, as shown at 1405, 
, ..^"faCN.Y.S^ag shpwn,at 1409. . A fat NVSCis made up of a, number of skinny 
. . .NVSQs., The storage J,403 ^uch. contains, the. .three CAA public, keys, also contains two 
poimers^ one, 1402, to a free list, .1407, of unallocated skinny. NVSCs and the other. 1404. 
to.an entitlement agent list J406 of allocated fat NVSCs, ,1409. Therer is suchafatNVSC 
fo^ch.f ntitleiijeot agejit Srpm which r DHCT333 may receive services. Each of 
c ., ^ese NSVQs. 14 ; 09g)-may > .also^ave,a list 14U,ofNVSC5- which may be skinny. NVSCs 
i.1405, faj NVSCs .MO&.pr.fi combjnation-of bojii. A given NVSC 1409(i) and its list of 
skinny NVSCs make up EA information 1333(i) for an EA-j.The fat NVSC 14Q9.is an EA 
descriptor. As shown at 1333(i), the skinny NVSCs 1411 contain information for.the 
services provided by the entitlement agent such as an MSK for a service, a bit map of 
entitlement information, and information needed for interactive services such .as IPPV 

'-. } '} ::- ; ! :;v:,: r,'::~v:<>V ' ". ■ ■■ - : v,n sr. 

Control of Storage 1303 r 

In a preferred embodiment, allocation and deallocation of the NVSCs 121 1 .may be 
ultimately controlled by .either the CAA or DHCTSE 627. When the CAA controls 
allocation and deTallocation, the^CAA, usually representing the operator of DBDS. 501, 
negotiates with each of the entitlement agents and agrees on an allocation of the various 
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types of NVSCs for that entitlement ag^nt;. EA adrninistrative code 1317 checks when it 
. is interpreting EMMs.from an entitlement agent to ^ensure that the entitlement agent does 
not use more NVSCs of each type than those, allocated to it. •, , ^ - .... , 

5 When DHCTSE 627 controls NV A storage BO^.^e^op^rator of thg-CAA«egqtiates with 

each of the seryic^e providers and .agrees .op.ft^alj^t^pn *>f sto^agp needed for the 
services provided. , The CA£ then sends ^n t enc^p^4 message foth^ 
The encrypted message contains the allocation based on data types, and the entitlement 
agent prevents the service provider from, asking /pr moi£ resources. than were .negotiated. 

10 If DHCTSE 627 pevertheless recei ves requests fpr^tOFage a^ea ajbpve what is available in 

, . NVA 1303, it indicates to the user of DHCT 3^yiajfhe user interface, that no. more 

storage is available and requests the user .to either remove some s^ryjce provider resources 
or to rescind the request. 



15 a: Details of Operations Specified hy EMMs - r o si^ o- - ai,.>tt.-T .... i 

: In the following; examples of operatidns'sifecified b^EtfiWls ^tf ^VvenJbbgimlng 
: with changing -a CAA public key, continuing tfaro^'esttSOI^RA^^ E# iri'DflCfsE*' 
5 I 627v and : ending' wfth providing entltlerhem infoim&tidti fot bfoi&kW^veritsi^d 
rt'S- 'iiitfeftictive s«VilBes. -foi the pfefeh*d eiftbodimeWW'&ngi^ C Cdtftir oik 'tfttf allocation of 
20 so -r. EA storage 133 1 tb entitlement agents. In other Snbtoc!^ 

' v orie CAA. Th'ere'are two kinds of entitleiiientnWfd^^^ broadcast Services and 

"t > ' that for interactive services!- Storage for broaclc^^fidtieittehVs is xtiot6 perrhahent than 
:-h that for interactive entitlements. ' ^ VJi • mota: ;.,krr? *^*{VV; -.-toa 

The amount of memory 1207 in DHCTSE 627 is limited. The CAA manages this scarce 

■■-t-iV ■ ' -» • • ■■jf.»-J(Ji*j • vJ J h. • rr; »v:.- . : 

25 resource and allocates it to the entitlement agents from which DHCT 333 receives 

services. Different EAs may have different amounts of storage area allocated, depending 

on their needs. Once an EA has received an allocation from the CAA, the EA may 

configure the storage area within limits defined by th€ CAA. Different EAs may have 

- different limits and different types of limits. At one extreme, v &e CAA only restricts the 

30 total number of NVSCs 121 1 that an EA'itiay have mltT"EA mfdmiation 1333; The CAA ' 

f ' may impose tighter restrictions by limiting the typfes of 'ItfS/SCs "121 1 and/or the number 
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of each type. Iri this way/thef' CAA can prevent" the E A from offering specific kinds of 
services and can 1 iriiit tKe' amount' of T suchi services offered^ i.e., the amount of tinie that 
such services are offered. - - * c . ... 

When a CAA allocates fat and skinny NVSCs 121 1 for an EA, it gives each allocated 
~NVSC 12Tl a "name", i.e., each NVSC 121 1 has an identifier, such as an 8-bit identifier 
that the CAA associates with the EA for which it has allocated the NVSCs 1211. The 
CAA and the EA use the name for the NVSC 121 1 to refer to it iri EMMs that manipulate 
the NVSC. An NVSCs name need not have anything to do with its physical location in 
NVM 1 209. Since the name space is 8-bits wide, the names are assigned using a 256-bit 
map. If an entitlement agent has the name of an NVSC, it may make the NVSC into any 
type of NVSC as long as the type is one that js permitted for the EA and as long as the 
total number of NVSCs of the type belonging to the EA does not exceed the limit set bv 
the CAA that authorized the EA. 

:? bi:.,? t-v i is ~ < . - - . : ' : - • 

: . f : Once the CAA hps^llpcatpd . the g A storage arpa in. the DHCTSE, it is; up to the EA to 
15 >r -t;S?P?8- uw l l? e iS l £F?.S? ?rj?^^;T^ e ^ irst ^tep is to load certain parameters such-as a FIN into a 
descriptor for the EA. The second step is to determine which types of NVSCs are to be 
used for the protected services to be offered. The names allocated by the CAA are then 
distributed among the various types of NVSCs. Lastly, each NVSC is loaded by sending 
the appropriate EMM. 

20 r ; ..... . v; . . - • . r:— : % ... r . , t , jr. v ^ r . 

Addressing -EMMs . . . .i j'.iw 

2 :ir - n In the 1 tonditibriaf^cce^s fafyer, EMMs ire addiressed to a specific DHCTsl 627, Indexed 
by of E Al TKis md^king is taken care of in EMM header fi 13, which includes a 
unique identifier for the CAA or EA that is the source of the EMM, and that therefore is 

25 associated with the private key used to make the EMM's sealed digest. The EMM header 

also includes the. serial number for DH CTSE 627. The DHCTSE 627 responds ohly to 
those EMMs that included When a C AA is the source of tfie EMM, there 

is also a' value in-the'HeaderattHiGating which of the CAA public keys is the public key for 
the source of the. message; ^Conditional access messages may ; be transported in 4 other data 

30 protocols; ^which: may include ^^other addressing mechanisms. 
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DHCTSE 627 ignores EMMs that, are acidressed to a^QAAor EA that is not "known" by 
DHCTSE 627 (i.e., EMMs for. which .there, is jtip corresponding to the CAAID or EA 
that corresponds to the EAID). As will be explained in more dQtaiJJbelow, information 
about individual entitlements is contained in NVSCs 121 1 for the entitlements. Each of 

5 * * these NVSCs has a type, and an EA may change the type or contents of an NVSC 1211 

by sending ah EMM which specifies the name of the NVSC 121 1 to be altered. DHCTSE 
627 will alter the NVsC 1211 as indicated in the EMM unless the entitlement agent does 
not have an NVSC with that name or the change violates a constraint set by the CAA. In 
those cases; the EMM is ignored by DHCTSE! 627. Conditional access system 601 does 

10 1 " ' not require that digital broadband delivery system 501 have a reverse path. or. if one 

' exists, that any bandwidth on the reverse path be available to the EMM conditional access 

j "ii ■» i »' ; „ > -! ■:. 1 '" j .. - ii „!*1a> >'.j- » • * 

function. Consequently, DHCT 333 does not return any acknowledgment, confirmation, 

or error messages in response to an EMM. Therefore, the CAA or EA that is the source 

t\Z zp- r :.v3ihoir-.> 1 . .»*!» / • / ' Mr 
of an EMM should track the allocations of NVSCs 1211 and send only EMMs that t 

15 request legal'Operations^ In other embodiments; 3 reverse pktirmay &e required, and for ? 

a th^se embodiments, the reverse path 6ah boused ibrackrioW^ r ^ 

ChartgingaCAA 

As previously indicated, a CAA is represented in t)HCTSE 627 by its public key. Three ■■: 
20 public keys for the CAA are installed in DHCTSE 627 when it is manufactured. A need 

may occasionally arise to change the CAA of DHCTSE 627. One circumstance under 
which such a need would arise would be if the private key fph^ Q^^h^b^il ^ 
, compromised; another would be if a, new ^ 

entitlement agents. That might happen, for exatpple, ^a c^nseppencg of the^ale of all or 

. , r Apy ,opp of the public keys for a C^ : c^ t>e replaced by means of a sequence of two 
,, r . E^Msv the first of whichh^ a ? - ^ 

r / >3> icpijespqnding to a first one of the Qtfier;twopuWic has a 

30 . i? , sealed digest encrypted with >the private key gp^respQfiding : tOi*e, second one of the other 
two private keys. Each of the two EMI&S c.QAtaiiM? ai>id$f«ifiwrthfe CAAID for the new 
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CAA, a key sele'ct'value indicating wfiich of the three CAA public keys is to be replaced, 
and the' public key for the 5 hew' CAA: ' After the first EMM is successfully authenticated 
by DHCTSE 627 by verifying the digital' signature applied by the first CAA key, 
DHCTSE 627 computes a MDS ; ^ash of me new CAA public key in this first "£MM and 
5 stores it. After the second 'EMM is successfully authenticated by the DHCTSE by 

verifying the digital" signature r applied by the second CAA key, the DHCTSE computes a 
MD5 hash of the hew'CAX public key included "in this second EMM." This second hash is 
compared with the first. If the hashes are identical, the new CAA public key and CAAID 
are substituted for the public key and CAAID of the CAA specified by the key select 
1 0 value. A single CAA public key must nofbe changed twice without one of the oftier two 

GAA public keys-being changed in between? • - ' . r.-.. -:.// 

Dynamically Adding and Removing agents in DHCTSE 

, . • u.v.>.r.'. U'~?.'i 9{>. \ I :'.;"•! nb ■ - ' - ■..:<>' >. v- •. :t-.*..\- 

627: FIG. 15 

1 5 When a CAA audionzes a.DHCT 333 tp receive services from.an entitlement agent, it 

does so by sending a sequence of EMMs that.create an entitlement agent descriptor; E AD 
If 09 for the new entitlement agent, FJG.,15 shows a detailed view of:an£AD. J409(i)as 
created by the C AA EMMs._ Header 1 502 is common to. all NVSCs; 121 k Cell/status 
.1 501 jndicates whe^..the NVSC J21.1 isjUjtocated. CelLtype 1503 indicates wbadcind 

20 of data it contains; with an.E^JD, 1409. Cell type 1 503;indicates that the cell is a ; "fat" 

NV SC. ^ CelJ.name .1 505jf d>e.,8-bit,name .that the? CAA gives the cell when it allocates it. 
The names are per-EA. Vj T^at is ? £h.e.EA; information, 133,3, for an EA may inqlude { *ip to 
. 255 N VSCs. f . Next ejement 1 507 js a pointer to me next element in the ; list to which: the 
.NVSC belongs. , Tj)us v in aij unallocated, NySC, iUs.a pointer to the next NVSGin ftee 

25 list 1407; in anJEAD^l^^it^ap^mt^^the next element in E AD list 14067 andlin a 

skinny NVSC that is part of a list 141 1, it is the next skinny NVSC in that listy Next 
element 1507 is set in response to whatever EMM causes the list to be manipulated. 

The remaining fields are particular to EADs 1409. The fields labeled 1506 in FIG. 15 are 
30 all set by EMMs from the CAA. EAID 1 509 is an identifier for the entitlement agent to 

which EAD 1409 belongs; in the preferred embodiment, EAID 1509 is used to locate 

f v 
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EAD 1409 for a given entitlement agent. CAA,flags r 151 tare aset of flags that.indicate 
(1) the classes of service to which the entitlement agent. ean..grant access^and (2) w|iether 
the public key for the entitlement agent is installed in, ^AP 1 409. First skinny ;.NV. S$C 
15 13 r is a pointer to skinny NVSC-|ist 141.1 bel^ngj,ng^o .EA h^ormation 1333j tO{Which 
EAD 1409 belongs. EA maximums 1515 define the ma^imum„amqunts>of seryice^for 
the EA to which EA information 1333 belongs. The. last field, .1 506 set by .the,CAA is EA 
public key 1527, which is the public key for the EA towhich EA information 1333 
belongs. 



r v The fields in EA fields 1516 contain^fprmatipi] .th^i? assjociatedlviljh the .customer to 
whom DHCT 333 belongs. The fields ^e set by an^l^Mireceixj^jd ^a<n,theJEA after 
EAD 1409 has been allocated and fields 1506 have been set. DHCT flags 1517 include 
flags indicative of the services provided by the EA that this specify DHCT 333 is 
presently entitled to receive. Stored credit limit field 1519 is used with instances of 
impulse services, i.e., instances of services that need not be purchased in advance. Stored 
credit limit -field 1 1 519 indicates the maximitfn ^sk^^tXi^ex^ok ttiat ^Interactive " 
tustomef 1 can use without authbrizatitfri^m t&e ; EA : ; ks wilfbe Explained in cietafl 
> ■- ^foW, ! auftferization is obtained by sending ^ FPMio tfie fe^Cand receiving a confirming- 
f EMM from the EA< X coordinate 1 521 "arid V f cc?tenate ' V^cfefiBe alociticm of ' *1 
bn ^DHteT 333 in a coordinate system (toi>re^iinfed more Ml^fe 1 } esfaBlisheci feyihe * 
' Vntitfemefct agent. -Thexoohiiiike s^tenrniay % ge^g^Hlc J and may; foi example,' be 
.n 2-/Us^ to determine whether the Dftdf 333 is i&Wfc&a wMciws WSe bladked bit in a 
ci teoa&easf. The coordinate' s^tertf hi^ t^AiS^d gfeneraliy' f S^^^SSs^ofm 
saiBA^^custdmeH. For instance, &e Vco55rdJnAfe £nd ( ¥ Uor&mkle 1 couWbe use'd to define 
^-^ciistomers who do nofWisht to receive nfo vi &' that ftatie Hftifig^ 

- ^ Th6*iNis a multi-character code that the customer for the iMcf ffiseis to identify himself 
Gfr>hersdf to the entitlement agent. " ' ' • ioruzq <\ ind* Z*< n .c 



; >;r. Ci-n., :.L" \ ;-.2:io:i-. t 
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The EMMs that the CAA sends'td iet up EA information 1333 for an EA are the 
following: " f t J ' *' r * 

• Set EA Allocation Name Map 

• ' Set EA Maximum Alioc&tiotis 

5 :/ * Update ^titlfeitieht^ v . . 

: ^M header 11 13 m ill tJf^ese TEM^fs contains a CAAID for the CAA, and all of the 
* EIviMs have a sealed digest tfiat h^ijeen encrypted with the CAA's private key The 
r CAA may use these EMMs noi only to set up "^A information 1333, but also to modify 
10 1 already existing EA iriforihafion i 333' for an EA and to remove EA information 1333 for 
:: ah EA: Wheh the latter ha^ t>eefi doh£ DHCTSE 627 will no longer respond to EMMs or 
' ECMsfrbriit^ ~ 



Set E A Allocation ["Name Map 

15 The Set EA Allocation Name Map EMM contains an EAID, which uniquely identifies the 

^v-.-n;.:: v? b/i^-J arts '.. ici * -i/ A .* ' - : c;..t> ■ s.i i 

EA for which the EA information 1333 is being created or modified, and a name map 

The map has a bit for each name; when the CAA has allocated a NVSC for the EA. the bit 

io -r ' :.r-M ; ' r/i'-i A ; -■ * - r a : .. w. -...M 

corresponding to the NVSCs name is set. CAA EMM code 1315 responds to this EMM 

"by allocating the NVSCs required for EA information 1333, mapping the names for the 
20 EAID to the physical locations of NVSCs, making list 141 1 and setting first NVSC flag 

1 5 1 3 to point to it, adding the new E A Descriptor 1 409 to the head of EA list 1 406 and 
setting next element pointer 1 507 accordingly, and filling out Header fields 1 502 and 
EAM>fietd tStoM-** sni ^ ' A 1 [ ' " * ' : : - ' ' ■ r; 

?~i -.n'?:-}Z rs'z trio b*jwbo:a i ■ h;Tco;::- : .n , " ■■' . 1 - *: . »: J :\-\;iJiT3 

25 . CAA EMM code 13 1 5 stores di^ciirrent name map for the EA in CAA data 1 330 and 
consequently cah f coMpakrthfe name map in* a newly-received Set EA Allocatidh Name 
Map EMM with the^cufcrent name map; If a name is specified in both name maps,' the Set 
EA Allocation Name Map cdrim 1211 with the name. If 

the name map in the EMM specifies a name that was not ih the current name map, an 

30 NVSC 12 1 1 1 corresponding to 1 that fname is added to list 141 L If the name map in the 

EMM no longer specifies a riamelfiaf was previously allocated to the entitlement agent. 
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the NVSC 121 1 corresponding to that name is retymed.fcq free list 1407. „,After this is 
done, the name map in the EMM becomes the current name map. , . < 

Typically, an entitlement agent and a conditional agcess authority ^Ul cooperate in, : 
5 determining how large list 1411 should be. For exarpple, if an ^tiUeppQntggpnt needs 

less space, it will send a message to that effect to the CAA, the message will contain the 
names of the NVSCs 121 1 that the entitlement agent washes to .have removed, >and the 
name map in the EMM sent by the C AA will specify ,qnW the. name?, of jhe;KVSC& 1 2 1 1 
that the entitlement agent wishes to keep. It may. hqwever. happen s thaVthe f ,entitlement 
10 agent is not cooperative or that the conditional access authority must reduce the size of 

list 1411 for the entitlement agent before it receives a message, from tljp. entitlement agent. 
In that case, the CAA may remove NVSCs 1211 from list ^ name, 
beginning with the name with the highest numeric value, continuing with the next highest, 
and so on, until the required number of NVSCs m,J have been r^moyefi. - 0 i 



15 



20 



Yn: r. 'it;., . . is' \A\ AR q.:! 4 arraVi no.;-.r>ci:A a5 i <,; 

The CAA can also use the Set EA Allocation Name Map EMM to remove EA .... ? 
- n »*rv> ,i .b^:'-. •.. * L- v: > r: *i . , :. ' 0 r . '1 i iioi;-crrr:,o:ni A \ our .1^ Lv toi 
information for an EA from DHCTSE 627. When the EMM is used in this fashion, none 

of the bits in the name map are set. CAA EMM code 1315 responds by returning all of 

>/,-/.. -T-i - - *:. i k Lv> ./ j \y. / ' in^n a'!* VM r>;.^-M ..nrou' :;?.-nc^ 

the NVSCs in the EA information 1333 and EA Descriptor 1409(i) for the EA identified 

" by the EAlD in the EMM to free list 1407 and re-linking EA list 1406 as required. 



Set EA Maximum Allocations , t „ ^ _ r ,_ . 

The Set EA Maximum Allocations EMM contains the EAID for the<j|A hfttfipgthlS 

entitlement infomiation 1333 that is being created or modified and also contains values 
25 for fields ; 15 ) 1, and 151£of EAD 14Q9 r XAA EMM;jc^ EMM by 

reading down EA l^st 1406 until it fpd^EA descript^ in 
. .fee EMM and then s^ettipg fields, 15 JJ and 1^15 of,E^ l^9.using;the values in the 

EMM. r ^hen an entitlement agent sends m EM)S44cupHCT5E I 6^7 t^pt establishes 

entitlement information j^f.a certain typ^,, ftjr exampk, ^or^svpntrtl^^odertbat.j.. 
30 interprets the EMM checks the EA jp^ii^uip^llo^atipns whether the 

maximum, number of entitlements for t thai^EA ^.Jtejgn exqeede^ Iri the preferred j 
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embodiment, entitlements are represented by NVSCs. Consequently, what is limited is 
the number of NVSCs of a given type in list 1411. 

Update Entitlement agent Public Key 

The Update Entitlement Agent Public Key EMM contains the EAID for the EA having 
the entitlement information that is being created or modified and the EA's public key. 
CAA EMM code 1315 responds to this EMM by locating EA descriptor 1409 as 
described above and setting field 1527 from the public key in the EMM. With the EA's 

public key in place, DHCTSE 627 can then use the signed digests of the EMMs to verify 

. s ; v; i . . • "... \ ■ - • 
that they are from the EA. This verification is possible since the EA uses the private key 

corresponding to the updated public key to perform the signing operation. 
EA EMMs that Modify Entitlement Information 1333 

The EA EMMs that modify entitlement information have sealed digests that are encrypted 
15 using the EA ? s pnvate key. The EMMs fall into two groups: EMMs that modify EA 

" fields 1516 of E AD 1409 and EMMs that modify contents of the NVSCs making up list 
1411. As set forth with regard to'EAD 1409, each NVSC has a name, and each NVSC in 
list 141 1 has a type. An NVSC is named by the CAA. as described above, and its name 
cannot be changed by the entitlement agent. The entitlement agent can, however, change 
20 the type and contents of a NVSC, subject only to the maximums for the types established 

in EAT) i'4'09 for the ££'.' It'is up "to'me entitlement agent to keep track of the types and 
''cohtchfsof the NVSds in *£A information 



25 



The EMM that modifies EA fields 1516 of EAD 1409 is the Update Entitlement Agent 
Properties EMM. The second group of EMMs is further subdivided according to the 
kinds of entitlements they provide. There are two broad families of entitlements: 
broadcast "entitlements' for n^ services and interactive entitlements for 

interactive sessions^ Williin tiie broadcast entitlements, there are further event 
l " entitlements fofeveritS that the user pays for individually, as is the case with pay-per-view 
30 events, interactive pay-per-view events, and near video-on-demand events. The non- 

event broadcast EMMs include: 
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• Update MSK 

1 Bit MaD 



Update Digital Bit Map 



• Update Digital List 

• Update Analog MSK and Bit Map . 

5 • Update Analog MSK and List 

Sir.'-.,. "-. v ■ ' - ■ . ' ~ -~ - » 

• Update Analog Bit Map 

• Update Analog List 
The broadcast EMMs for events include 

• New Event Storage 
10 • Add/Remove PPV Event 

• Acknowledge IPPV/NVOD Event 
The EMMs for interactive sessions include 
© New Interactive Session Storage 



• Add Interactive Session 

15 • Remove Interactive Session 

j :/ 'ms/' v <• .1 " ' ' *.r; :: . ofl .^stf < 

As can be seen from the names of the EMMs, the EA can change.the type of the named * 

;.r:i ".. • ' aMi'-':' £' s -'iAi :5 ^\nc^.\ 

NVSCs allocated by the CAA as needed for events ai\d interactive sessions, subject onlv 

to the maximums specified in EAD 1409. 

20 There are separate CAA EMMs for allocating NVSCj?, setting limits on types of NVSCs, 

and assigning a public key to an entitlement agent. Also, the £A £MMs for writinc 

NVSCs 121 1 do so by name and can change the NVSC 121.1 type as well as its content 

v ' -o\ ? ,rrr. A.- Hi ; j 'ir: ' K to 

Therefore, access control system 601 has a high degree of control and flexibility. A CAA 
may dynamically constrain the total number of entitlements that an entitlement acent mav 
" give, the types of entitlements, and the number of entitlements of eacfc kind as required 
The CAA may also change the constraints either in part or as. a whole, and can do so 
either in cooperation with the entitlement agent or unilaterally. Within the constraints 
imposed by the CAA, however, the entitlement agent is fir^e to dynamically manage its 
own entitlements, changing not only entitlements of a given type, but even changing the 
30 types themselves. 
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Update Entitlement Agent Properties 

This EMM contains the values for EA fields 1516 of EAD 1409. EA administration 
EMM code 1317 reads EMM header 1 1 1 3 to get the EAID for the EA to which the EMM 

is directed and simply sets fields 1 5 1 6 in EAD 1 409 for the E A from the EMM. 

. 1 :.-$.!• ivbrjtn Ci \> 1 i.i-..',:^r ■ ^- ; ■ r. 2 

Non-Everit Broadcast EMMs 

• ; * h -J ; v-:;.: ivl -Vi \v, , ' ■ 1 ■ u-' * ■ ^ 

Of the non-event broadcast EMMs, four types will be discussed here. These are Update 

MSK, Update Bit Map, Update List, and update cQmbinations-with MSK and list or 

bitmap. Those skilled in the art will .be able to easily apply the principles explained 

j./v *. . »'. ✓ . * • « :U«j// ♦» j~ ' ■ : • ^ * ; - • 

below to EMMs that perform the functions indicated by the names of the other non-event 
broadcast EMMs. For example, the principles of digital EMMs can be applied to. analog 
EMMs. There is a separate type of NV SC 1 405 for each information type ptpyided by 

the above non-event broadcast EMMs. FIG. 16 shows the contents of four of these types 

r ,v {; . -. . /: 4*' i ."'-i ! "3d J K. r u ^-n: * . j . ^oj * • 1 ' - ^ r 

of NVSCs. Each NVSC type will be discussed together with the EMM thatprovides the 
15 information it contains. 

Update MSK 

The Update MSK EMM is used to send a new MSK for a set of services provid$d~by the 
EA specified by the EMM. The rjevy MSK and other information associated with the 

20 MSK are stored in MSK NVSC 1601 in list 141 1 for EA information 133a belonging to 

v.. •• . - ■ * -j--: \ u * -: t 'i/..:u\^ t ' v ' a . . . ' - »• "■ ■ - * B 

the EA specified by the EMM. Included in MSK NVSC 1601 is header 1,502: /Header 
1 502 specifies that NVSC 1 601 is^ a MSK NVSC, gives the l^VSC's name, and contains 
next element pointer 1507 to .the next element in list 1411. The other fieldsxontam 
information about the MSK. In the preferred embodiment, MSK 1608 has two 128-bit 

25 parts: the even MSK 1 609 and the odd MSK 1611. Each part has two halves i e * a first 

'■to! '".-I !.-'. j*;:.;:-;r:.Vi: / J. r; • - : ; ■ ^ - j ■-■ * 

half and second half, each of which has 56 key bits and 8 unused parity, bits. The MSK 
1608 is associated with a p,air identifier \ 603 for MSK 1608, an expiration date 1605 for 
MSK 1608, and a flag 1607 indicating whether the value of expiration date 1605 should 
be ignored. If the expiation date 1 605 is not to be ignored, DHCTSE 627 will not use 
MSK 1608 to decrypt a control word after the expiration date. The identifier 1603, is per- 
EA, and consequently, a giyen.EA ma^ have one or more MSK NVSCs 1601 at any given 
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time 10 store a plurality of different MSKs. f ^us,^onditional access system 601 not only 
permits separate security partitions for each EA, but also permits security partitions 
within an EA. _ 

.c- v ..: v . :is. r 'i> O: 1 r. f 5':: fcbl'itf •: . "... . , a. 

The Update MSK EMM header contains the EAID needed to locate EA information 1333 



for the EA; the message contains the name of the NVSC that is to receive the MSK a 




?xpitatibr 

10 theChaiTges. Ala maximum, the EMM contains a value for MSK pair ID 1603 ? a value 

,, - J " fot expiration date 1 1605,' a value'Tor no expiratfon'date 1607,' and values for even MSK 
}o.*r i^'iiiti odd MSK 1611. EA M&K coHe'Bl^ processes MSK EMM 

^ locatitik E5\ IhfohriitioH 1353 for the EA^identiiTiedVy the 'EMM- headers EAID, using 
zoc - } the cielf name* to locate the proper NVSC, givtngtHat NVSCthe MSK type* and then 
15 3d; Siting td'the MS£ NVSC 1 60 r as reqiiife^by tte hags and the information in the EMM. 
This procedure is the same for both analog and digital Update MSK EMMs. The 
differences are in the EMM command code in EMM Header 1 123 and NVSC type 1503. 

! Entitlement Identifiers h: ° ^ v ' Act 1 " 1 1 ^ 

20 !A.s ! v/ilhbe Explained in more detail beTowT an fecM specifies the service instance that it 

actbrfipanies by 1 nieans* 6*f ( 1 ) the EAID c for*the entitlement agent that is the source of the 
v) ' ECM^and 1 (1) a 32-bit entitlement ID for the ^tMcei'fen^tfraent IDs are per-E A.' By 
aqkii rtikkiftg tiie entitlement IDs 3 2 ; bits long, each E& will 'nave" enough ^entitlement IDs even 
forttansient services such as pay-per-view events and interactive services. In the 
25 - prefferred ! embodinient; ^tvnen D^Ctsfe'&'f mterprete an ic^il^S^SSS^DHCT 
:a ' fi? ; 353 isehtitled to decrypt 'trie instance by iodking'ih^X inlformation 1333 for the EA 

ip&ified ih the ECM~for an'eintitldment ID that corresponds to the enti'tiement ID 
• " ' specifietfin the ECM. The dntitlement l6s m I ^'^ii^ J ^!^EXWon^on l 1~333 can 
; be represented in at least two "ways. One wayYs b"y simply likting entitlement IDs. The 
30 - - drawback with this technique is lhat the ! 3^•bltm^a^iQbs ; tfe , large, and NVSCs are a 
• scarce resource. The cither Way is by means oT a starting entitlement ID value and a bit 
- fliap. Any entitlement ID'having a^Vafue wifhih'S^S 1 of u^e entitfement ID value" specified 
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by the starting entitlement ID Viliie can be specified by setting a bit in the bit map. This 
technique is set forth in the Banker and Akins patent application supra. See particularly 
FIG. 2 of the Banker and Akins patent application and the discussion of that figure. The 
following discussion of specifying entitlement IDs by means of a starting It) and a bit 
5 map is ah expainsioh 6f the discussioh in that patent application. ' ' ' ' ' 

Update Bit MapEMM " ■ • : «• 

this EMM Updates k Mf map that specifies one or more entitlement IDs. The bit map is 
" stored ift an ehtftlfement bit map NVSC 1615. NVSC 1613 Has a header 1 5 02 with the 
1 0 cell number and type of tliel^VsC; a first entitlement ID 1 6 1 5, which is the first 

^ entitlement ID which may Be specified by the bit map; an expiration date 1 6 1 7 ? which 
' 'specifies wlfen the ey^lerheht IDs specified by first entitlement ID 1615 and the bit map 
" empire; a ho expiration date flag f<J19, which indicates whether there is in fact an C 
expiratioii date; ahd l^t map 62 1 1 The update bitmap EMM contains the cell name for 
15 the NVSC l6l3 toVe set* a set of flags' which indicate the information in NVSC 1613 that 

is to be set by the EMM, and the values for the information. The EMM may set any or all 
of first entitlement ID 1615, expiration date 1617. no expiration date 1619, and bit map 
i62i: EA admihiktratiVe EM 1 31 7 responds to the EMM by setting the fields of 

the specified NVSC T 613 as indicated in the EMM. This procedure is the same for both 
20 Update Digital Bit Map and Update Analog Bit Map EMMs. The differences are in the 

EMM command code in EMM rieader 1 1 23 arid NVSC type 1503. 

. ■'* j - ' ^ 

The Update List EMM updates a list of entitlement IDs that is contained in an entitlement 
25 list NVSC 1 623. NVSC 1 623 has a header 1 502 with the cell name and type for the 

NVSC and contains up to six entitlement ID elements 1625. Each of the elements 
contains an entitlement ID 1627, an expiration date 1629 for the entitlement ID, and a flag 
1 63 1 indicating whether the entitlement ID has an expiration date. The update list EMM 
contains the cell name for the NVSC, a value for the flag, an expiration date, and values 
30 for up to six entitlement ID elements 1625. This procedure is the same for both Update 
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Digital List and Update Analog List EMMs. The differences ar^ in the EMM command 
code in EMM Header 1 1 23 and NVSC type 1 503 . 

.. . .-.jr." • ; • *. r? I 1 .-.^ ..c: . ~ . '*•<>. V:o - . ~.T" 
Broadcast Events :u . 

5 A broadcast event is a one-time service, such as a pay-per r yiew bro^^st.q£a>boxing 

match. In the preferred embodiment, there are two kinds of broadcast events: ordinary 
pay-per-view broadcast events, in which the customer has ordered in.advance to see Ihe. 
event, and impulse events where the customer decides at the time the event, is broadcast 
that he wants to order it. There are different kinds of impulse events, such as: impulse 

10 pay-per-view (IPPV) events, which are pay-per-yie\y eyents -where the customer cari 

decide at the time of the event to purchase it, and near video-on-demand CNYQD), where 
popular movies are rebroadcast at short intervals and the customer can decide when the 

rebroadcast occurs whether he or she wants to view it. -Those skilled in the art will realize 

*. : j( 1 . ». 3.*'. 9 fioij*- or. f : . • . : ■■• 

that the concept of an i4 event" can refer to any service over a specific time period (whether 

broadcast or non-broadcast), such as video on demand events or other types of events not 

lij-:, ! ; '' r... ■ f *. w ' " w « r.^fi: TO it . cT mcT J? ^ -<' * . i; . < 

listed here. 

Us v:, • \i "" : ' v - . r.r • ■ Mr. sr..- ^rs .MfV n w." '.-■<- * ^. 

In the case of pay-per-view events, the customer orders the event from the entitlement v 
agent, and the agent responds by sending an EMM that contains^he necessary erjtitlement 
information. In the case of events where the customer decides £t broadcast-Xirt\e that he or 
she wants to purchase the event, purchase information r i.e., information about the , 
entitlements that can be purchased, must be distributed with the event. In these cases, the 
purchase information is distributed by means of global broadcast authenticated messages, 
or GBAMs. The customer provides input 628 that specifies a purchase. The DHCT 333 
25 responds to the input 628 by storing the record of purchase in the DHCTSE 627 and then 

beginhmg to decrypt the event. Later, the DHCT 333 sends the entitlement agent a 

. . -. 7 .--.:. C • • v^":.ti'J f -- :<!:•: *.: .s 

forwarded purchase message (FPM) indicating what has been purchased by the customer, 
£ ' , T - " • • ■ ■ : t : -eb • . * .7.: .v CI ^t^-t/ i.i;::: i-. 

and the entitlement authority responds with an EMM that confirms the purchase and 

contains the necessary entitlement information, the record of the purchase remains until 

.... « • I' . , . ' ■ v>v "\ cc-' 

30 ah EMM confirming the purchase is received by the DHCTSE 627. 

...••sp-'.r":-. : . . ^ . : CI .7:;:..: ,; T* f ■ . ■ 
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Event NVSCs: FIG. 17 ' - ' Yl 

FIG. 17 shows event NVSC j i fQl used to store entitlement information for events^ 
; Hdddcr fie[d-r502 is similar to fliat for otherNVSCs 1 701 . Each eVent NVSC 1 702 may 
M cbritain up toihree event descriptor^ 1703 , each of which describes a single event. Each 
5 event aescriptorl703 coritairts^' Flags Mifeld i 705 thaft includes flagVto indicate (f) 

s ' whether'the event is active, (2? whether it$ end time has Been exVehded,'(3 ) whether the 
2 entitlement agent hafc cbnilrmed purchase 6f the event, (4) whether the customer can 
* cahcclS^any tinrife, (5VWhethCT tfie^^ in a cancellation window, (6) 

lJ whcth£r the customer htok cahCelfe'dttfe. purchase/ (7) whetheVthe right tb copy the event 
10 has been pu^ 

time 1 709 is the later of the start time for the event or the time the customer purchased the 
event. End time 1 709 is the time the event is to end. Cost 1711 is the cost of the event to 
the custom'ef^nd-erUitiemerit fE> i71 3^is the entitlement ID fof the event. * ' : 

15 -New-'*EVcn^St6rage-]&MM n " ' r " : ' : - rh: ' 71 

" Wlteh the CAA ; seis upfentite 1409 for an entitlement agent, it 

l: iridItidcs¥valUe^ ^i^EA M^xin^ih^ «15 that limits the number of event NV§Cs' 1*701 the 
entitleriierit ^gerit may h£v6. ; Within thkn^mben however, the entitlementagem is free 
to allocate e^feht N^SCk T70 i from the total number of ft VScV i 405 belonging to the 
20 ' t% entitlement agent And to reuse^existirig^cverit NVSCs 1 70 1 : To allocate an £vent fJVSC, 
- the EA uses fhfe new eveht 3t6'rage EMM; which simply contains the cell name for the 
' NVSC &tiicMto c te aTlod^: : 'OHde the eVeht NVSC % 1 701 fias been allocated, its fields 
are set as follows: -'^ - 5/ ™ v - 

• In the case of an ordinary PPV event, fields are set by an add/delete event EMM; 
25 : :r:vA ■« '•' ttvthleJ c^febfdhl^P^ or NVOD evehu fieldfare set in part from the GBAM for 
the fervent and ih part 1 from customer input 628^ 

: " ' •• The contents of an evlerit l^V^C 1 70 1 are deleted by an acid/delete event EMM or by 
; receiving an Wcik btmim greater than the event end time in the event NVSC 

30 1701, if the evfent record 4 had been previously acknowledged by receiving the 

Acknowledge Event EMM. 
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The Add/delete Event EMM . / 

The add/delete event EMM contains a flag w^i.pji.ij^icates ; y/hether the EM1VJ is setting or 
deleting an event. In the latter, case, the contents of tl^EMfyl must n^atch the cjurrent 
. contents of the NVSC 1701 that is to b? deleted. In>Jhe former cascthe values of the 
EM^ include flags indicating whether tjime extension^ are allowed and jvyhqthet^he right 
M' t0 !^Py h ^ - been P¥^ a s? d - ' Fyf^fT- incJlu^are yakies^for the e,yent: s, start time,and end 

nt. WbeflJthead(Wdelete.flag indicates,"delete'\ 
v EA administrative code deletes toe cpntejijts oJC ) th©h[YSg ! .17Pi f ^en it, indicates "add", 
_ the code sets the corresppnding fields of the .ISty^.l^ tp the values specified in the 
i?x £MM. , Ttle fla^^t indicates whether the EA r has, ac^ pufeh^se is spt to so 

indicate. . . - 

or ;rs*. s .'»*) % o . • * tJtifi* srl; \- T i jrr;i. b(i. rr. 

The Global Broadcast Authenticated Message: FIG& .4 8-20. 

The Global Broadcast Authenticated Message (GBAM) is, like the EMMs, ECMs ? and 
15 FPMs, a CA message. A GBAM is broadcast by ap/eptitlementj3ggn$ tpjDJiGT^ 333. 

, FI .G : . ] 8 shows a CA mesgage 805. including. a QBA^yl J, 8.0J ..Message, 80$, includes a CA 

• { OBAM ! header : 1807 and global broadcast^aj^l Sp^ GJpbafb^adcast data. 180$ is not r 
encrypted, but .QB AM 18,01 is authenticated in tij^e pan^ fas^on as^EC,^ , header 
20 , . ,.1,807, global broadcast data ,1 8.0,9, arid. MSK.,1. 01,5 fee^ngjrjg to.jji^EA yhjfh^nt the 
GBAM are hashed by one-way hash function MD5, tp produce GBAM .MAC 1-805. As 
f _ yrith the ECM, the MSK. 1015 is ^ shared secret bet we^ t^ EA^whi^h s c e# the GBAM 
and DHCTs 333 that have EA information 1333 for the EA. ... 0 . „ rn 

25 ^ FICj. 19 shows GBAM header K .l 807 in detaiLas.well asrthe fpi^i th.« global broadcast data 
1 809 takes when GBAM 1801 r is used to provide entitlement infpnjiatipn for IPPV or 
NVOD. GBAM header 1807 has a conditional access system ID 1901 that identifies CA 
system 601 in which GBAM 180£ is bein^ used, a tag which indicates that the message is 
a GBAM, and the identifier 1 905 of the entitlement agent sending the GBAM, : Fields 

30 1 907 and 1909 specify the key that was used to majce, MAC f 1,805,.. Field 1907-specifies 

'iv - r' ■' • 
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the parity t>f the MSK half used tomake the 'digest, and MSK select 191 i is an identifier 
fertile MSK itself. - '■ - s - : - ' " ' 7 -'- " ( : ' ' ' ' ; • 
■<."'•■■ •'■ ■ '-iJ!'. '..r'iii'"c • . : "•> -•' - '■ >'■!•' i 

Purchasable entitlement datal 913 refers to file form of giobal broadcast data 1 809 that is 
5 '••-•«■ ? used to provide ehfitlement^nfbrmatioA for IPPV or NVOD. Of the fields that are 

relevant for the present discussion, Entitlement ID 1 91 3 Vine entitlement ID for the event 
associated with the GBAM, and Flags 1917 include flags indicating what kind of 
cancellation is allowed and whither the time for the* event may be extended. 'Number of 
= modes 1919 indicates hdwinany'differeht modes there are for purchasing the event. The 
l o rights which the purchaser leeeives to the event and the price the purchaser must pay will 

vary with the mode. In the preferred embodiment, an event may have up to five purchase 
: . modes. . If mere purchaseimodes are required, 1 additional GBAMs may be sent. 5 The rights 
and prices for each mode are indicated by arrays. Each array has as many valid elements 
as there arenmodes;.-The Value df ah element corresponding to a mode indicates ihe right 
15 or.priceToE3mat:mode..:Thus;nioden^ copy field 1921 is a bit array; if a bit fora 

mode is set, the purchaserof the mode has theright'tb copy the event. Similarly; mode 
length field 1927 contains a value for each mode which indicates the length of time for 
V the event in thattfiode; Mode cosf field 1929 contains a value for e'acn mode vvhich 
-.; «i .indicates the cost for the' event in that mode: Earliest start field 1923 gives tfte earliest 
20 i ,v time at which entitlemehtTor tSe'event can Start, and latest- end field 1 925 gives the latest 
•• timeuat- which entitlement muStehd> [l - - : '• ' :r ■'• 1 - 

10 :'{.:•:-: .'/'O: xziz--i .'O - 'Irt . ': - ..•<• 

m-s •iWne^DHCT:333 receives GISAM. 180r, it passes ? GBAM' 1801 to DHCTSE 62? for 
authenticatibhiof global ibroadcasl data 1809. Authentication will fail unl'esi DHCTSE 
25 ., 627)has the required MSK?)If^l y£>HGTSE-627 has the r required MSK and (^global 

1 r 'broadcastdata:l809uis data ;49$3rDHCT 3 33' permits the customer to purchasVthe" event, 
jr In so doing the customer Identifies himself or herselfito DHCT 3^3 by means of a' PIN, 
. and that PIN must matcfaipfrJ'-l 525 M EAD '1409 for the entitlement agent that sent the 
c GBAM. In making hi£'6f her purchase, the customer alsb Specifies the relevant modes. 
30 Given the mode infonfiafiori and'the cost-information in the GBAM',; DHCT 333 can 

determine whether orderihg^the impulse' event will cause the customer to exceed the 
•' amount (of time; money; ete.O specified in stored credit limit" 1 519 in EAD M697 If the 
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customer has not exceeded the limit, the information jypm the GBAM and from the 
purchaser's inputs are used to make an event descriptor 1703 for the event: DHCT 333 
passes the information to DHCTSE 627, which sets the fields in event descriptor 1 703 
according to the values provided it by DHCT ,333. The flag that indicates whether the 
5 purchase information has. beep acknowledged is cleared, and thecost of ! the, event is added ?- 

to the current credit balance.. . 

The Forwarded Purchase Message: JflG^l/ Ur b. /o. - ..: ^ ! -^t. 
• pie forwarded purchase message (FRM) ip a preferred embodiment serves two purposes: 
10 r*i' cr • il informs the entitlement agent that the customer has purchasfed anlPPV or 



. NVOD event; and 



.,, r? ,j. • 11 informs the entitlement jagent that the GusioniQr,has.cancel«d>the purchase^of any 

im ^ Iri other embodiments, messages like the FPM gaiPbe^ed Jo transfer ;amy* kind of <. : t 
15 infprmation from E)HCT 333 toa CAA^or ai^EA^F^r ,ej*^ple/such a*message can be 

used to transfer monthly order infonnation frqm PHCTc333 jt0an EAi; ?\ *iko r *.r* 
- .*:. • r ,- • .,; ... j - . , - ;o; *u:iV' ? i;:i.;l~oo bh n ^ 

DHCT 3 3.3 sends a forwarded purchase message Avkhithe/purCha^jmfonhmi^ via' the xr. 
r, J ever ? e chapel to ; th? : entitlement agenuhat^gntjthe £}£AMi TheltRMrfs contained in &' 
20 ] ^v er ?? c tywe\ dpta packet that is ^dressed to thehEAc F 1G- v2J;pFQyides:an overview of 
the FPM and of the cryptographic measures usec^e protects «s contents:- 4 FEM 24 01 is a 
CA message 805 and consequently is sent with a CA message header 1 003. FPM 2101 
hsplf js mad$ up of FPM encrypted envelope kej(,21 ^wbi^ei^torthaEAHT for the 
^2f5^™f??r %&? nian $ JPHkey 21 1 9 %,d*q3fp^ 
25 ^n FPM encrypted e,yents,21 U r ^e ^ 

encrypted for privacy using &e jwWic^^^ thg entidemeftt ^gfefufe for which FPMc2 1 0 1 
v , r is mtendp^d^ CA FPM paessage 2L05 includes.GA^M.feea^rcZl-h which includes the 
, EAID for the intended EA^and ^ FPN^encrypje4 ?Y e ^251^r£ae;latter §re encrypted 
5 using the 3-DES algorithm ^yith the, key ,in eay^op&feejK2l03(.i £A EPM message 2105's 
30 parts are. a header 213, fPJVipJear eyente2133 n whichj<^ntaw5 the pserchase information, 

and padding 2135. Th^last part of FPM^lpl is fPMisjgn^ authentication 2107, which 
is enqrypted with the private key of DHCT 33 y 3 ; frc^B whkh FPM. message. 2 101 is sent. 
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The encrypted material includes FPM signing header 2125, FPM MAC 2i27, and 
padding 21 29. FPM MAC 2 1 27 is made using the MD 5 one-way hash algorithm from 
'FPM clear events 213?. Only theEA for which the FPM is intended can decrypt "' 
envelope key 2103 to obtain key ^l'l9 to decrypt FPM encryptedevents 2123, and the EA 
5 can check the authenticity of FPiCfclear 'events 2 1 33 only if it has the public key for 

DHCT 333 from which FPM 2101 was sent. 

1 The part; of FPM 2101 which 1 is A of- further interest here is FPM clear events 2133. The 
information* iif that part of the FPM includes the serial number of DHCTSE 627 in DHCT 
10 333 from-which the message^ "came; the EAID of the destination EA, and an indication of 

> : .the number of events for which ? the FPM contains purchase information. The information 
for each event is Contained m forwarded event data for that event. The forwarded'' event 
'data is taken /from GBAM 1501 and event descriptor 1703 for the event. Fields oHtiterest 
- , : i'n the present eontexHnclude' flags indicating^! ) whether the event? has-been exteiided, 
1 5 (2) whether the- ifeer^^ceteyr&e-event;^d-(3) whether the customer has purchased 

the right to copy. Other information mclude^thfe time the everit started of was purchased, 
'^ht(^^ei^is* : lateif;-tne time the event is to end, its cost to the customer, and the " ' °' 
ehtitlemerit'ID Sof the event. To caftcel any event, including an ordinary pay-per-view 
event, DHCT 333 sends an FPM with the same message, but with me event canceled flag 
20 set to indicate cancellation. The conditions under which DHCT 333 sends an FPM 

: - cancellation message Will be explained in more detail below. FPMs may also be used to 
purchase other service types,' siicfr as ! monthly subscriptions, of "data dovmfoads, for ' 
•j; < example,- - ^ i.u zltfi liumrto • : - : : r .x " :.• .<;.-■ r~> -y:;-- 

.7 ■■ .. .vti: L".«2 

25 The Acknowledge IPPV/NVOD Event EMM 

When the'eiititlemeht agent receives the FPM, it enters the information contained in the 
' 4 FPM in its customer information database and returns an acknowledge IPPV/NVOD 
event EMM to DHCT 333! EMM command data 1 125 in this EMM contains an exact 
copy bf the forwarded event' data m the FPM that the EMM is acknowledging! When 
30 DHCTSE 627 receives this EMM,' it decrypts and authenticates it and then, for each item 

of copied forwarded event data, it uses me entitlement ID to locate event NVSC 1701 for 
the event. Having located tiie eWift'NVSC 1701, it compares the copied forwarded event 

54 

SUBSTITUTE SHEET (RULE 26) 



BNSDOCID <WO ©907150A1 I > 



WO 99/07150 PCT/US98/16145 

data with the corresponding fields of event NVSC, 1/7Q1 . . If.they are the same, DHCTSE 
627 sets the flag in Flags Field 1,705 that indicates that the purchase has been confirmed 
and adjusts the stored credit balance. If the EMM has it? "canceled" flag set, the "in.use" 
flag in event NVSC 1 701 is set to indicate tto^c^pit r KV.SQ.17pi is not in use. and is 
5 therefore available for reuse by the entitlement agent . r 

Other uses of GBAM 1801 

QBAM 1801 can be used generally tqbroadc^tau^^ m^ss^ge^a &MPEG-2 

... transport stream, or other transport mechanisms, to DHCJs 333. ; QAjsyjste^ : 60> itself 
10 % uses 1 801 in two other ways: to periG$}icdl$Jpj<^^ v^lue^o DHCTs 

333 and to extend the time for, events. In the/qmigrjca§e; • Gp^ly^l^Oli Sitnply carries the 
^ time value, which is a secure time, dueto the QB^tyl^ ^the^tiea^oni /Fhe<codein 
^ ^ DHCT 333 which carries out^ task for the entidpment,]agen.t ^^aV.sent,the;§yste3tittime 
GBAM <can u§e the time ^alue to coordinate itea^ ^Mote 
1 5 : ^that this arrangement permits the use pf^er-^nt^ ) : 

j permits, establishing f uniform syst^n? timf t^ughputja ; tjligit§i ^road^d,dei,i : y«ry r ; J ? - 
system fcy setting-up one entitlement agent ip ^chpHGT ; 3^3 $fjthe d;BitaldtH^Adband 
delivery systep as the "system time entitlement ggenjt" anc^addres^ipg il}Q:$sstQtn.tOTe;2, 
„ ? GBAM tp the systerri time entitlement agent. ,?> ^nz , Vl Z-A. T'jr-ICJ : r:v/:> i 

, GB AMs . 1801 that extend the time for an evei^jpan^ the^ntrtjpmenv ID* for tfogeyens and 
the number of minutes the time; for the event is tp.l^ extended. v When ,GB AM 1 801 is 
received and provided to DHCTSE 627, the secure element adds the number -qg myites to 
end time 1709. 

FIG. 20 shows a server application 2001 executing on^a processor haying access to- 
entitlement agent 2005 and to the MPEG-2 transport : stream . being received by a gn^up of 
DHCTs 333. The server application 2001 can use GBAM \ 801 to send authenticated 
messages to the DHCTs 333. Server application 2001 sends a message to entitlement 
30 agent 2005, which uses its transaction encryption deyice. 603 to make a GBAM 1 801 

including the payload. Entitlement agent 2005 then returns the GBAM to-server 
application 2001 which sends application jdata together with the GBAM, as shown at 
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2007, to client application 2009 m tHe' bHCts ; 333. Each client application sends GBAM 
1 801 to DHCTSE 627; which authehticates it: * If the authentication succeeds, DHCTSE 
627 sends an acknowfedgment^atTient applicatioti 2009. It should be noted here that it is 
the entitlement agent and not server application 2001 which authenticates the jiayload. 

NVSCs and EMMs for Interactive Sessions 1 U " 

"DBDS"501 can also be used for imefactive sessions. Examples of such uses are browsing 

?r'\ „\J"J. ' • 'JS. 'i rvy/r^ i ■ - f - & ■ \ ■ . ; " - ::u 

the Internet or playing video gam&s. In such applications, data being sent to the customer 

\vili generally go via the MPEG-2 transport stream, while data being sent from the 

customer will go via the reverse channel. Such an arrangement is advantageous for the 

... . r.;. s . ■ : i?*|:;i '/ :-'tuE5t\ % . -J": * " x, ^r •^•'•" r . ■ r vi 

many interactive applications in which the customer receives a large amount of data, for 

example, the data that represents an image, makes a short response, and then receives 
another large amount 'of data. 



1 5 Eabh interactive session that is Currently taking place with a user of DHCT 333 has an 

interactive session ~NVSt 1 2 iT in list 141 i belonging to the entitlement agent that grants 

access to the interactive session. The interactive session NVSC contains a session key for 

•;n, : ..;bc Si y \> j.';.;': rroi:.-. . .-■ T v ,:1 JV,V' c.mV, 

the interactive session and an entitlement ID for the interactive session. DHCTSE 627 

allocates the interactive session NVSC in response to a new interactive session storage 

20 EMM from the entitlement agefit. The new interactive session storage EMM simply 



'contains the cell name of the NVSC to be used for the interactive session. 

Once the EA has established the NVSC, it sends an "add interactive session" EMM that is 

' , , .hhL-z: Ji nsilw I < : - <"••* ; •■ ! r<< . /m- v. ic, \ is-.t-v 

directed to the name of the newly-allocated NVSC and contains the entitlement ID and 

the key for the interactive session. The secure element places the entitlement ID and key 

' - i • *j ** ~ ?■ ■* ■'w- » \ \ ,** * * ** " * o * *L/s" * ; > s ^ ••' ** «**" * * . ■ 

in the NVSC. When the EA detennines that the interactive session is over, it sends a 

remove interactive session EMM with the entitlement ID for the interactive session and 
tfie secure element deletes the contents of the NVSC It is of course possible that the 
entitlement agent sends a new interactive storage EMM at a time when all of the 
30 interactive session NVSi6s allotted by the CAA to the EA are already in use. DHCTSE 

627 in a preferred embodiment deals with this situation by keeping track of the last time 
each interactive session sent or received data. When a new interactive session is needed 
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and none is available, DHCTSE 627 shuts doym the interactive session that least recently 
. j sent or received data and uses th^t interactive ses5ipr}^iciteractiv^ sessionNVSC for the 
new interactive session. Another solytipn is to requ^stihe user Jp select an interactive 
se^n tobetenninated. , , , ¥1 , V v^:v -srrrv. <. , ■ ,f:i;:.:^:i 

Details of theECM: FIG. 22 ... " , ~, w * . - ^ 

The information in an ECM that is used to determine whether the instance of a service 
that the ECM accompanies is to be decrypted in a given DHCT 333 is contained in ECM 

entitlement unit message 101 1. FIG. 22 gives detaU&jof the contents of ECM entitlement 

•Ai m< nt ./ - : iiv ..n>- is r • part ^■C:^LA v., .■«•■ v. : sr- :^ : - 
unit message 101 1 for a preferred embodiment of the present invention. Beginning with 

message ID 2205, the two fields 2201 and 2203 identify this message as an ECM 

entitlement unit message. EAID 2207 is the identifier for the entitlement agent which 

v • . ■ »: ^ . ' ;2r- o " na ::'nf.w rpi ::-rl; ^J5;i- >» 5< .;v- 

grants entitlements to access to the instance of the service t^hat tht^ECM accompanies. 

Decryption information 2209 is information used to produce the control word 2235. , :~ 
Control word counter value 2235 is encrypted using. t}ie ^DI^S algorithm in a. preferred;^ 
embodiment. This algorithm employs two keys, and in. a preferred embodiment, each key 
is 1/2 of the MSK. Also, there are two versions of the MSK: even and odd. MSK parity 
221 1 specifies which version is to be used in the 3DES algorithm. MSK ID 2213 2 
specifies which MSK belonging to the entitlement agent is to be used, or if the ECML 
accompanies data for an interactive session, it specifies that the key is to be found in the 
NVSC for the interactive session. Control word parity 2215 specifies the parity of the 

unencrypted control word 2235. Parity count 2217 is a 0-1 counter that has the value 0 

i\ \z\i) I AW : " v. r- : rr. • J ti ..>•'-/'/: -Hi ^n AF-an: . 

when the parity of the control word is even and 1 when it is odd. 

1;.^; \}\ ^:i:J:::v^ • ... s.j rr.f / 'A .■:,.;::-o^- /{•vjn ^curo ^ia^r tulJ o: D^^cnio 

r 5 j j.-^ Qj ■ jj, * ' ?: w Jr ;./ r ;. ^i-. > :>/ : " r .n*:r22'Jc! 5v'*;a/r.^J/:i ' * 

Free preview 2219 is a flag that indicates that the ECM is accompanying a portion of the 

service instance that is a free preview. That is, as long as a customer has the MSK for 

wis tiokv ' - - ... tti:!':; • » .L?:v ./.r/.!: r.ov^^c sr'ii^i ■ n 

decrypting tiie service instance, the customer needs no fyrther entitlements to view the 

'free preview portion of the service. The main use of free previews is with IPPV or 

30 NVOD services. Copy protection level 2221 is a value which indicates to what extent the 

instance may be copied. Blackout/spotlight 2223 is a value which indicates how 

-.; ■{ .... ■ ' **: :v j v::? A ' ~ ■ ■' lvr^.'.°- > ' 

: . m:.: ■ • • * << ' ' * - ' 'l^^ i * 
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blackout/spotlight informafion 1 22Wvs to be used:' not at all, for a blackout, or for a 
spotlight (i.e., the service is targeted to fo^ " *" ' 

Number of entitlement IDs -2225 3 s^ebifie's the number of entitlement IDs 2245 tHat are 
5 contained in this ECM. The maximum number in a preferred embodiment is six in a 

1 single ©CM: Multiple fifelHS Way be sent fbr each service. Allow IPP V 2^29 is a 'flag 
whibhihdicatbs Whether tfie service instance* may be viewed on an IPPV or T^lVdD basis. 
Cancel window 223 1 is a bit that is set in~ a service instance that may be viewed as an 
event to indicate the erid'bf the Jr period during' which the customer may cancel tlie event. 
1 0 Time stamp 2253' is ii} tiriW stamp indicating tfie time at which the ECM was created. 

■ J Encrypted cohtrol ; word 213^ is r the conttol word contained in the ECM. It is encrypted 
using the SDESal'gdmhni'iantf the MSK for the^etvice instance. ' : ^ f • - 

Blackbutyspofligiit infoirtatibri 223 6 defines a geographic* area which is to be'blacked out 
1 5 or spotlighted by an fngfcaiibi^bf a Seftfce: It does so by means of x centroid 2239 "and y 

centroid 2241, the two of which define a point in a geographical coordinate system 
- iU - defined by the fentitlembrit W^efttVand'blackout radius 2237, Which is used to determine a 
r square : thit > is^center'ed oh the p'6mt 'defined by fields 2239 and 2241 and that has sides that 
1 are twice' the value 6f blackout radius 2237. Entitlement ID list 2243~contain£ from one 
20 to six entitletnfehrlDk Wt^ inStaWc^ of th^ service that the ECM accompanies. 

Details o^^ FIGs. ; 26and 27 " 

:,arlo>^.-3 ofem lA'-UJ $dl\o iteV rS*:zy-i \o - '■■ : - ' • !; : ' f: ni 

The coordinate system used in a preferred embodiment is shown in FIG. 26. Coordinate 

system 2601 is a 256 unit by 256 unit square, with the origin at the lower left-hand comer. 

'•' * *'* • .} ^!^,vj ['■)^,;;fqyj fti* \;7^ r i- , "* 'Cits*: .* '*." 1 C? '*? 1 ' J"- '." "Ij 

25 Tn the coordinate system* it 1 is the lines, rather than the spaces between them, that are 

numbered. The entitlement agent to which coordinate system 2601 belongs assigns each 
DHCT 333 in the area covered by the coordinate system the coordinates of an intersection 
of a line that is perpendicular to the x axis with a line that is perpendicular to the j>£xis. 
thus, a DHCT 333(k) may be assigned the point (i j) 2603 in coordinate system 2601 . 

30 { 

; - ' • : Vai r,-r. v- — ./:.•" • f - ;v.- 

FIG. 27 shows how areas are defined in coordinate system 2601 . Area 2705 has its 

centroid 2701 at the point whose coordinates are (57,90). The radius 2703 of the area is 
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three, so this number is added to and subtracted^from.eaph of the coordinates of the 
ccntroid to produce a square 2705 whose ^.w^ileftTh^d corner is at (54,87) and whose 
upper riehi-hand corner is at (60,93). In the preferred embodiment, points on the left and 
bottom lines are in the.area; ppints.on the top ^nd/ighMines are not. : . . r (: - 

5 r t 

, Determining whether to Pecry pt the Service lijs^nce that Accompanies an ECM 
Conceptually, what happens when receives 9n3CM,aQcompaaying an /; x 

instance of a service is that DHCT 333 provides tfie ECM to DHCTSE 627,.which * 
examines the NVSCs in EA stpr^ge 133,1 to find^whetjaer the customer to whom DHCT 
10 333 belongs is entitled to receive the iostanpe of ^he ^service. If ttyq customer: is $q 

t ^ entitled, Dl 1CTSE 627 decrypts the control word injthe BCM^ and provides itto service 
decryptor 625, which uses it to decrypt the MPJSQ-2 ^apkets. CQn^iryng the audio and 
video for the service. However, the number of different kinds of services, the number of 
different ways in which a service can be p^rcjiased* nuynber. of f wgys in which * 

15 can restricted all work together to malc? jLhe .irj^ippr. in which DHCTSE 627 

processes an ECM rather complex.^ % orf - . ; .. . rv , . r> { vrc v .. fl ,.,.. 

The simplest case is for a broadcast seiyice ? suQh f as,^s^ M er ?> * e 

customer who owns DHCT 333 has paid.hiSr.Qr l^j^^iy^il^Qrjhe ^cyic^fujd jhe ^ 
^ entulement authority h^s sent two ; EMMs to QHQJ, 3^3 ^MSK JElVllyl^it^the; nifgith' s\ 
20 MSK for the seryice and an EMM that fp^ciji^^ J^e^servj^ee^ As 

previously pointed out. the latter EMM may either contain a list of entitlement IDs or a 
first entitlement ID and $ bit map. All of these PHMffg^^ 

in the case of the MSK EMM, there is an expiration date of the MSK; in the case of the 

3Jfin:':-ioo? 6i a. w a, : .* .Tito ^ '-yyr.?:--' \ c ;:: b?zj ;t/j:zy^ r-isniDiaoa i 

entitlement ID list EMM, there is an expiration date for each entitlemertf r ID on the list; in 
.vjino., b\. n -ci • i.:.ro i* 4 '' . i-v • ocl aJ Mru* d - 

the case of the entitlement bit map EMM, there is an expiration date for the entire bit 

•jv. rid) .n;;:/: "--v •" ' ^ r .•ci f ? »3T 1 ^rf; ^\ ;•: ,r;i?i^;?. -.v-nit-i*,'; o . t* 

"map. 

At a minimum, EA information ~1 333 for the entitlement agent that provides entitlements 

for die service instance that the ECM is accompanying contains EA descriptor 1409, a 

* ; . • .. . ' rruc .ill '^T!r::.Vr-. vr.ni 

30 MSK NVSC 1 601 , and either an entitlement bit map NVSC 1 61 3 or an entitlement list 

NVSC 1623 for the service to which the instance belongs. EA information 1333. may also 

contain NVSCs with entitlement information for many other services or instances thereof. 
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The ECM for the service instance will dbntaiiri; at a minimum^ entitlement agent ID 2207. 
decryption information 2209, time stamp 2233. encrypted control word 2235, and a single 
entitlement ID 2245 for ItKe inst^ J ' 

5 When t>HCT 333 receives the'SGM; it delivers the ECM to DHCTSE 627, which reads 

down EA list' 1406 liritil it findis ah EA descriptor 1 409 having a value in EAlD 1 509 that 
: is the sartie astHe^V^WEAiri 2207 in1he f ECM. DHCTSE 627 then follows first NVSC 
pointer 1513 to'list lVll'anil'iboics for a l MSK NVSC 1601 that" has an MSK ID field 
1603 containing the same value as MSK ID field 2213 in the ECM. Having found such 

10 an MSK NVSC, it determines from no_exp_dat flag 1607 whether expiration date field 

1605 contains a v&iid tirrife value'; and If £o, it compares that value with the value in the 
ECNTs timfe stkmpTieid2253. If the value in time stamp field 2233 is more recent in 
time, dHCTSfi £27 \vill riot us6 itfSK 1608 from MSK NVSC 1601 to decrypt control 
word 2235. The secure eI6meiit ! Cdhtiriues searching for an MSK NVsfe with the proper 

15 MSK ID and an unexpired MSK, and if ittinds such a MSK NVSC,' it uses that MSlfC 

NVSC; if it finds no such MSK NVSC, it does not decrypt the control word. 

DHCTSE 627 similarly Marches iikt 1411 for an entitlement bitmap NVSC 16 1 3 or an 
ehtitteriiehf list NVSC l1S23 : Whibh contains an entitlement ID which is tJie'same as one of 

20 r;?; the erltiilemfent ibs : 22^ in the EC^I. If (1 )' DHCTSE 627 finds ah NVSfc with such an 
entitlement- lt> and (2) there is no valid expiration time in the NVSC that specifies tlie 
: entitlement iD'&at f iy e^lierlhan time stamp 2233 in the ECM and (3) DHCtsfe 627 has 
also fiWnd^ as Described above" DriCTSE'627 decrypts control 

worcl £235 ijfem^'&lg MSK* and* decryption information 2209 in the ECM. Decryption is 

25 done using the 3DES algorithm that was used to encrypt the control work. In a preferred 

embodiment, the control word contained in the ECM is a counter value as described 
above, arid DHCTSE 627 prodlices the control word that actually is lis^ri to decrypt the 
service instefree by 're-enci^tirig the integer using the MSK and the 3DES algorithm. 
That control wo53 tisatfte by ''&e ^mcVdecryptor 'is then returned to service decryption 

30 module 625 , whibh uses it to'decrypt' the service instance! » ■ - 

■ » * . j . >: ^i: ■)./'• :•„.-. . oi . I: 
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As is apparent from the foregoing description, whenjPHCTSE 627 parches an 
entitlement agent's, entitlement agent information 1333 f$r a given entitlement for a 
service, it continues searching until it has either found ^n NYSC that contains.th.e 
entitlement or it has reached the end of list 141 1. What this means in logical terms is that 
. the entitlements ; that a given entitlepient agent can^rsnt are the. logical Ol^ ofjthe 

entitlements specified in entitlement agent information 4333., Eor exanrale, if one v 
^ entitlement ; bit map NVSC that^contains the s^nie qntitlemenUD as,the£CM/ha$ expired, 
b,ut another has not, DHCTSE 627 disregards the spired .NVSC, and .based on.the active 
NVSC, produces control yvord.2235. 

It should further be pointed out here that time stamp 2233 in the, ECM and the expiration 

f : : ! r.r'i ' . '. r. .v ■ - ■ •--* ■ >• - ' *- * •• > ■ "- • 

information in the NVSCs prevent reuse of a previous month's.M$K to decrypt ?an 
instance in the current month and also prevent reuse of a nrevious month -s-entitlements in 
the current mopth to implement the protection^aipst replay |ttt^ks^descrihed : in.the 
15 Banker and Akins patent application supra % . % . , „ , ^, f . ; f . px- 

Where further restrictions apply to an entitlement, DHCTSE 627 searches for that 
information as well in entitlement agent information !^ |: 
blackout/spptiight field.2223 of the ECM indicates^ the se-^vice/ri 

20 DHCTSE 627 /; uses blackout/spoUight in^prmatipn.2236 to determine wither. the location 

specified by x coordinate 1521 and y coordinate 1523 is within the square, specific^ bv 
Wackout/spotlight information 2236;.if so, DHCTSE ; ^27 does not 4?crypt.ppntrpl word 
f 2235. When a spotljght applies, the procedure is of coi^^e.jthe, opposite: p^gTSE 627 
decrypts the control word only if x coordinate field 152 l r a^| y cp^ordin^iield ; 1 5,23, 

25 specify a location within the square. t . 

As previously noted, the techniques that are ^used to fpant entitlements according to . 
geographical area may be generalized to grant entitlements to various subsets of. 
customers. For example, entitlements may. be conceptually represented in a Venn 
30 diagram, blackout/spotlight information 2236 may specify an^area in the Venn diagram 

that represents the set of customers that are entitled to receive the service, and x 
coordinate 1521 and y coordinate 1523 may specify the location of the customer in the 

61 

SUBSTITUTE SHEET (RULE 26) 



BNSOOCID <WO 9907 1 SO A 1 I > 



WO99/07150 PCT/US98/16145 

Venn-diagram. One use of suctfan aitangement would be to restrict access to an instance 
of a service according to a custbhier 's desire that users of his or her DHCT not have 
access to instance -with objecti&hable content. In other embodiments, of course, more 
coordinates or other way^oF'te^ 

Event Services - 

. .I:": . si . . r> :• • • ; ' i" '-:..',r. 

When the ECM accompanies an instance of an event, interpretation of the ECM takes 

place as described above, except that the entitlement information for the event is 

contained^ an event NVSC 1701 . DHCTSE 627 searches the entitlement information 

10 >'• 1333 for the entitlement agent 1 having the E AID that is intne ECM 'for an event NVSC 

1 70 1 containing an event 'descriptor 1 703 with an entitlement ID 17 1 3 that'is the same as 
one of the entitlement IDs 2245 in the ECM. If the event is a standard pay-per-view 
event. DHCTSE 627 then examines the ; 'flags f 705 to determine whether the customer has 
canceled the event and whether purchase of the event has been confirmed (always the case 

15 with standard pay-per-view). The DHCTSE 627 then compares purchase time 1 707 and 

end time 1 709 with time stamp 2233 to determine whether the time indicated by the time 
•stamp fewrthin" the 1 period' Indicated' by fields 1707 and 1709. If the C examination of event 
' NVSC 1701 indicates that the customer is entitled to the event! DHCTSE "627^decrypts 
comrbrwbrd Wfe^t& i&ta. VJ "' " " "' '" 

With IPP V of NVbb eventk;* a^oW IPPV tag 2229 in the ECM must indicate Sat the 
everit is one that heed not ^purchased in advance. Free preview flag 221 9 may also be 
set tb indicate tHa ! tihe 7 p6¥tibh bfthe event instance accompanied by the ECM is part of 
the free preview, and cancel window flag 223 1 may further be set to indicate mat the 
25 event can still be canceled. If free preview flag 2219 is set, DHCTSE 627 simply looks 

for a MSK NVSC? lSoi in EA inTorhiatibn 1333 that contains the MSK specified by MSK 

ID 221 3 in the ECM.' If the DHCTSE 627 finds one that is valid, it decrypts control word 

: '-2235'.- •• t r»« 7* 3Zrry<n _ . , -.. v. 

30 If free preview flag 2219 is not s€t,'DHcf SE 627'goes to the event NVSC 1701 having 

the entitlement ID 1713 that is Wsahi'e as one in ECM field 2245. If flags included in 
flags 1705 indicate that me purchase 6f me event has been confirmed and the event has 
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v. 

not been canceled, DHCTSE 627 decrypts CQij^qL%YOfd 2235. } If the event has not been 
canceled and has not been confirmed, but time st^ipp 2233 indicates a time that is within 
a predetermined period after purchase time 1 7p7Jndic^^in event descriptor 4.702, 
DHCTSE 627 also decrypts control worcj 2235, T It bjf,this ( means #iat the^^ryic^. 
5 instance continues to be decrypted between the time the FPM is sent to the entitlement 

agent and the time the entitlement agent returns the acknowledge IPP-^/NYOD event 
EMM. This causes the confirmation flag to be set in flags 1705. ... 

Cancellation of Entitlements to Events: FIGs-17, 19, and 22 

10 _ Whether a user can cancel a previously purchased pijtitlejnent, to ^n IEPy/NVOD event 
that he or she has purchased preferably depends o^he eye^t V/ There ^areithree ; 
Possibilities: _ . , x .. Sfi) „• i.irn, ,•■ , ■ 

• the entitlement can be canceled up^tq two ^ijcjut^s past puiphase; ; 

• the event can be canceled during a period of Ju^tie^^ ^anp^llatfon, wjndo\J; : 
15 or ... , f _ . ,. . . 

• the event cannot be canceled. r Kni . 



ins 



Which of the three possibilities is . associated wUh^^iv^n^y^iiJ i^d^eip^ined.byjhe 
purchasable entitlement data 1 913 in the GBAM th$ ^cojpp^Tjigs t^e, event, 'Qppjlag$n 
flags 1917 indicates whether the event can be^caiipele^; ^pthey silicates, \yhether , 0 J.- 
20 cancellation is possible in a cancellation window. If neither flag is set. the event cannot 

be canceled. When DHCTSE 6?7 ipakes ^n, S v ^J}^?SQri { p]PE {-7Q3Tor ©vejntv th.e 
values of the fl^gs in the GB AM are usedjto set flagsjij flags 1795 which jndipate,^ 
J^hetoAe event may be creeled or during a c$p^ljf$f^^ 
neither flag is set, the event cannot be canceled. , • , - . H , 

25 

The user cancels an event by revesting canceljatipp via cust^eisfjriput; 628 to DHCT 
333. When DHCT 333 receives the input v it provides a c r 2Uipell^tion r^qupst, including the 
EAID and entitlement ID for the instance, to DHCTSE 627, which uses the E AID and the 
entitlement ID to locate the event NVSC 1701 that contains event descriptor 1703 for the 
30 event. If the flags in flags 1705 indicate ih^t the ent;tlemept cannot be.panceled, 

DHCTSE 627 indicates that fact to DHCT 333, v which them indicate^.that the entitlement 
is not cancelable to the user. If the flags indicate that the entitlement can be canceled, 

63 

SUBSTITUTE S^HEET (RULE 26) 

BNJ^nOCiD <WO ^o7l«OA1 P > 



10 



WO 99/07150 PCT/US98/16145 

DHCTSE 627 simjtfy sets the canceled flag in event descriptor 1703. If the flags indicate 
that the entitlement can be canceled only 'during a cancellation window, and an ECM 
indicating the cancel window has ended has not yet been received, DHCTSE 627 sets the 
1 Cancel flag iivivent descriptor 1 703|6therwise, it indicates to DHCT 333 that the 
entitlement cannot be canceled, arid DHCT 333 so informs the "user. If the event has been 
canceled, DHCTSE 627 clearr'the^ackhowledged flag, which action causes a new FPM to 
" J be sent id the entitlement 1 agent for the event. The entitlement agent responds to theFPM 
by adjusting its billing as required by the cancellation and sending a new acknowledge 

EMM; ~ . J - • ? 

sr.. 4 :no • ■ >Jir ^' -J '•" •-- '- u - ; 

Interactive Sessions ' " ^ 

The chief difference between broadcast services' and interactive services is that each 
session of the interactive service'has its own interactive session key, which is contained in 
the interactive session NVSC for the interactive session. The NVSC for the interactive 

1 5 session also contains the "entitlement iDTor the interactive session. In an ECM that 

accDriipa&iies "the 'JVipSfcf-2 : siresun* For an Interactive session, MSK ID field 2213 is set to a 
; : :;;: valuS ^^^hlndickds that the Mfp§G-2 stream is to be decrypted using an interactive 
session key. When DHCTSE 627 interprets such an ECM, it uses entitlement ID 2245 to 
find the NVSC for the interactive session and then uses the interactive session key " 

20 conta^^ 

Detailed Description of Transaction Encryption Device 603: FIGs. 24 
and 25 

Each CAA that can authorize entitlement agents in digital broadband delivery system 501 

f L: : ^ 4 *fni be.T.or;- :i .-o L\ jx- ..<-»: . «ri ' ■■..*> ;i • ^ *"r~J jt .*> 

25 and each EA^that can grant entitlements in system 501 has a Transaction Encryption 

. y . - ; v; : ';i : u rr: :q kA OJiT :lv*~J '. * < '■ - » • ..«'.-" :? "* - 

Device or TED 603 in system 501. Preferably, eacji CAA or EA has its own separate 

TED in system 601. Alternatively, the TEDs could be .combined in one device.. The TED 

603 stores the secret keys used by the entity to which it belongs and has hardware ,and 

software to do encryption, decryption, key generation, and authentication as required by 

, • v S'" '. r-. 0/ r r i -i. * r. 1 ' - f ■ ' * " • :. ' ";?. / 

30 the entity. The keys are kept secure by implementing the TED without a user interface or 

user I/O devices, by implementing it in a tamper resistant container, by connecting the 
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TED only to the DNCS and using a secure link for ttiat jcprmection, and by keeping the 
TED in a physically secure environment such as a locked room. 



In the case of a TEP 603 for a CAA, the TED 603 stores jthe private keys corresponding 
5 to the three public keys representing the CAA in the DHCTs 333, encrypts and provides 

sealed digests for of EMMs from the CAA to the DHjCTs o 333, and decrypts and . 
authenticates messages from the DHCTs 333 to the CAA. In the case of a TED 603 for 
an EA, the EA TED does the following: _ tU 

(1) stores the public and private keys for the E A and the MSKs for the EA;., 
10 (2) generates the EA public and private keys and the MSKs; 

(3) encrypts and prepares sealed digests for the EMMs sent on behalf of the EA; 

(4) prepares the shared secret digests used to authenticatejglqbal .broadcast messages; 

(5) provides the MSKs to SEES, module 620 for use in encrypting instances ojf 
services; 

15 (6) generates interactive session keys (ISjfCs) for interactiy? sessjpn.Er^^d^ 

provides them to SEES module 620 for use in encrypting the-interactiye session: and 
(7) decrypts FPMs and other messages sent ftpm DHCT 333 .to the e^^gnt^agent. 

TED 603 in Conditional Access System 601; J£IG. 24 . ^- u . 

20 FIG. 24 shows the relationship between a num^qr of. JEJDs^6(^;3^^:the rpstipf ^pndijional 

access system 601 . Portion 2401 of conditional access system 601 includes a CAA TED 
... ? 427 f OT : a . CAA that authorizes. entitlement ag^J^ ?y?^W .fyhrTfPWV 240^al^j 
includes one EA TED 2425 for each of the n+1 entitlement agents which theXAA has 

currently authorized for DHCTs 333 in digital broadband delivery system 501 . 

r t » ■'' ■ •. ; .i. . ;r:-ii ; .. \Si v.\ : . , n:::W£irj / -. \Ly «!*::" 

25 ' Alternatively, all EA TED 2425 functions could be combined into a single TED, which 

■ .*»-*■ • ; " ■ : " * : ^ v r . --. % -=5-i;:vijt*:;i- :r:s:i.~ n:: A 5 tnR 

could include the CAA TED 2427 function. Each TED is kept in a physically secure area 
• ••,"€.-*.... ■ - - ' ' ■ . . ? - ■* . . * f / : . 0-:! r: r 0o f -;r 

2428 and is connected to DNCS 507 by a secure high-speed link 2423 that connects only 

' 1 DNCS 307 and the TEDs 603 f In the preferred embodiment, the secure link is a secure 

Elhernet link. DNCS 507 uses T^D 605 to encrypt EMMs, to decrypt FPMs, to generate 

30 EA public and private keys, to generate MSKs and ISKs, and to prepare global broadcast 

: - • ". . . • • - .'. c, • ■ ':u'.' : - ,f ; . si - * 

message digests. DNCS 607 has a remote procedure call interface to the TEDs 603 for 
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performing these operations, ahd^ consequently, program's executing on D>JCS 607 can 
use the facilities of a TED simply by making a procedure call. 

DNCS 507 is the sole connection between a given TED 603 and the rest of conditional 
5 r access system 60 1 . DNCS 507 : is J Connected by a network 241 5 to systems belonging to 
the CAA and the various EAs. Each of these entities has a database containing 
:1 information Relative to its Kmction^ CAA 2405 has CAA database 2403, which contains 
G at least the CAAVthree' public keys and encrypted versions of the corresponding three 
-private key s/the" entitlement' a^ identifiers for the entitlement agents that the CAA 
1 0 authorizes, arid a 'per-I!)HdT database that contains the names, types, and numbers of the 

NVSCs that the CAA has allocated to each entitlement agent authorized for the DHCT. 

Each EA 240^9(1) hais Its own EA : database 2407(i). EX database 2407(i) preferably 
contains the EAID for the EA, a list of the IVflSK IDs and expiration dates for the MSKs 

15 that the EA is ciirrently using, ancl a database of the services and/or instances that the EA 

is providing, this daLt>kse of services contains at least the entitlement ID for each 
'" : ' r: - 'service: ' E^' datable- 240i(\) ai^'includes a per-DHCt database of the entitlement IDs, 
^ntitlemehrexpiratibri times, and MSK IDs for the entitlements and MSKs sent in EMMs 
to the DHCT. TOe per-Dkct database^ may also contain customer billing information 

20 such as the irifofm^tiori requireci 1 'to 'deal with the purchase information in an TPM? 

Key' certification authbrity 2413 is an entity which certifies the public keys of DHCTs 333 
to bNCS 507; lit a pfefelted embodiment, key certification authority 24 1 3 is maintained 
: by the trianufactoCT 333/ DHCT key database 241 1 contains a database of 

25 DHCT serial nurhSers md {heir public Tkeys. When a user of a DHCT 333 wishes to 

purchase an instance of a service offered by an EA, the user sends a purchase order to the 
EA with the serial the IP address) of the DHCT 333. the EA 

v - ' provides the senal riiimbW to DNCS 507, which maintains a database 2421 of DHCT 
5 public keys by serial number. If ihe serial number is not in the database, DNCS 507 

30 sends a request for the pufclic key to KC A 2413.' The request contains the serial number, 

and the key certification" authority responds to the request by sending a digitally signed 
message 2412 to DNCS 507. this message contains the DHCTs public key. DNCS 507 
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f 

has th^ public key for the key certification authority and, uses the public key and the 
digital signature to confirm the authenticity of the DHCT public key Jn. the message. If 
the public key is authentic, DNCS 507 places it in public key database 2421 . 

5 DNCS 507 is further connected via another high-speedJjnk 2417 to SEES 620, which is 

provided with MSKs for encrypting instances of services.- Additionally , DNCS 507, 
provides global broadcast messages (GBAMs) pd EMMs for ^roagcast yi^ .tran^ppjt link 
517 to the DHCTs 333. Finally, DNCS 507 is connected via the reverse ipath provided by 
LAN interconnect device $17 to the DHCTs 333 and reqeives FPM? from the DHCTs 

10 333. In other embodiments, DHCT 333 may also seiid E^J^&tp pjHCJs 333 hy ( this 

route. , n , , . , ., 3 

Data flows in portion 2401 are shown by labels on the arrow| connecting the components. 
Thus, an EA 2408(i) sends unencrypted contents 2410 o£EA EMMs and global broadcast 
messages to DNCS 507 and receives unencrypted contents 24.12.o£FPMs.fQr,thp EA from 
DNCS 507. t With EA EMMs and global broadcast messages, P^CS 507 use^ ^JED- 
^ 2425(i) to do the necessary encryption, d^est ? making, ^^^JI^^^Qnjp^^fQ^sends 
the encrypted and authenticated EMMs. and global broadcast messages, as well as the -4 
MSKs. to SEES 620, as shown at 2426 and 241 8. In the, case of EMMs, which arc 
repeatedly sent over an extended period of time, to t^e DHCTs & pj^p^. 507 ^or.es.the 
encrypted EMMs in EMM database 2420 and provides them to SEES 620 from there. 
With FPMs. DNCS 507 uses the EA TED 24250) fOTrthe EA,24Q9(i)J9.\vhjLC f b the FPM is 
addressed to do the decryption and authentication and sendsxlecrypted J^Meontents 
" 2412 to EA 2409(i). PNCS 507 treats CA^^EMMs tf^^^e^^my.^^^ ^^^^ ^accept 
that the encryption and digest making is done using CAATED 2427. 

DNCS 507 also contains a database of encrypted entity information 241 9 V which 
comprises encrypted copies of the private keys <md lylSKs stored in the TED3 609 that are 

w f —j i : "' ^ . • : . ..r . » '.. , ■ J. .U 7 7; •• ~ ;. n L i'i .... ..v. ' — _ 

connected to DNCS 507. This encrypted entitv information is used to restore a TED if a 
malfunction or the physical destruction of jbe TEp should cause loss of the key 
information. The encryption is done in tl^e TED using a pass phrase. When the 
information has been encrypted, it is output to DNCS 507 and stored in database 2419: 
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when the TED is restored, the information is input together with the pass phrase to the 
TED, which then decrypts the'lcey information. 

Detailed Implementation of TED 2425(i): FIG. 25 

FIG. 25 is a detailed block diagram of a preferred embodiment of an EA TED 2425(i). In 
the preferred embodiment, EA TED 2425(i) is implemented using a standard computer 

motherboard and chassis with a standard Ethernet board and additional means for 

\" >y v yi-n 'juuiol ' ... . . "4 : i . * ■* r. ; 

accelerating RS A encryption and decryption. 



As shown in FIG. 25, the main components of TED 2425(i) are CPU 2501 , memory 2505, 

. ' "i r.'; t ? Mr.-' <i i v;'. : i ,;, 7 //v. .1 '.1 I *«; • •. i. : 

a hardware random number generator 2537, an Ethernet board 254 1 , and a number of 
['0. / ;S' f : z:r : -. — Lr;~ :;\o:'.; ' - ' ....... i "» *: i ■: \a 

RSA accelerator boards 2539(0 .. n), all interconnected by bus 2503. The use of mpre 

than one R$A accelerator board 2549 permits RSA encryption and/or decryption in 

parallel; in consequence", the preferred embodiment of TED 2425(i) is capable of 

15 encrypting a plurality of EMMs very rapidly, e.g., within a second, while also performing 

other operations involving encryption, digest making, or decryption at a similar rate. 



Memory 2505 contains EA information 2507. which is the public and private key for the 
entitlement agent to which TED 2425(i) belongs, the MSKs for the EA. and code 2523; 
which is the code executed by CPU 2501. The parts of memory 2505 which gontain code 
2523 and EA information 2507 are non-volatile, with the part containing code 2523 beina 
read-only and an the part containing EA information 2507 being both readable and 
writable. The code which is of interest to the present discussion includes: 

(1) MSK generating code 2525, which generates MSKs and ISKs from random 
numbers provided by random number generator 2537; 

(2) RSA key generator 25 1 7, which generates public and private RSA keys from 
random numbers; ^ , - 

(3) MD5 code 2529, which performs the MD5 one-way hash algorithm; 

(4) 3DES code 253 1 , which does 3DES encryption and decryption; 

30 (5) GBAM authorization code 2533, which makes the shared-secret digest used to 

authenticate global broadcast messages; 
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(6) RSA encryption/decryption code 2535, wWch performs RS A , 
encryption/decryption with the assistance of RS A hardware 2539; 4 

(7) EA information encryption code 2536, which encrypts EA information 2507 with 
a pass phrase for storage in DNCS 507; . rr . . . „ 

5 (8) EMM code 2538, which produces encrypted and authenticated EMMs; and ^ 

(9) FPM code 2540, which decrypts and checks FPMs. 
EA information 2507 contains the information needed to do the encryption and 

authentication of GBAMs and EMMs sent on behalf of the EA represented by TED 

•:jp- ■« y.r. or./:: * . •"'JcT.. x ^ 

2425(i). EA information 2507 also facilitates and contains information for decryption and 

10 authenticity checking on FPMs directed to that EA. In a preferred embodiment, EA 

information 2507 includes at least: (1) EAID 2509, which is the EAID for EA 2409(i), 

■ . ./ • - i. : o;: 'V.:.>u t vir; : *; .:.;-r>-sx -r^ ■ .? 

EA Ku 251 1 and EA Kr 2513, which are the public andf private keys respectively for EA 

' 240^(i); and (2) a MSK entry (MSKE) 2515 for each MSK being used by EA 2409(i) in 

conditional access system 601 to which TED 2425(i) belongs. Each MSKE 2515 

15 contains MSK identifier 25 1 7 for the MSK, the expiration time 25 19, if any, for the MSK, 

* MSK parity 2520 for the MSK, and MSK 2521 itself. 

■rci-ssjii 1 / - 11017.1:1'.:' s ,ai , - , ;ovi;:'.:s:jiiw":«- :vjrf.^ 

Operations Performed by EA TED 2425(i) 

When EA TED 2425(i) is initialized, it is provided with the EAID for the EA to be 
20 represented by TED 2425(i). It stores the EAID at 2509 and uses RSA key generation ~ 

code 25 1 7 and a random number from random number generator 2537 to generate EA 

public key 251 1 and EA private key 2513, which are stored in EA Information 2507. A 

hr:x: ? '::,..•'„>: r> " r r u,r~- 'i: A:. *Cii;«i-s;rro'i T-"f*q j.m r j i/Hj*. 

Remote Procedure Call (RPC) permits DNCS 507 to read EA public key 2511. Other 

• - . . ) • - t i rIo*r:.v odo.? s lT .3fo/v?*T*'-' 

RPCs permit DNCS 507 to read TED 2425(i)'s serial number, to get and set TED 
^ r ., . . i- * > •. ,i* *. /■ 1 oc ?7a£i^.i , >'- J-T 1 r : r i) 

25 i242S(ij*s system time, and to call TED 2425(i) to determine whether it is responding. 

TED 2425(i) responds to this call with its serial number. EA TED 2425(i) also reports a 

number of alarm conditions to DNCS 507. These include encryption partial and total 

failure, random number generation failure, memory failure, and TIED and Ethernet 

overload. 
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Continuing with the encryption and authentication of EMMs, DNCS 507 has two RPCs, 
one for EMMs g6nerally and dhe'for MSK EMMs. When DNCS 507 is to make a non- 
MSK EMM for EA 2049(i); it receives the following from EA 2409(i): 
' (1 ) the' serial numbfer of thfc DHCT 333 whidh is the destination bf the' EMM; " 

(2) an EAID for EA 2409(i); ' "'■ J 

(3) tfie^NiM^ ty^er^ci ^ : ; ; ; ■ 

(4) the information needed 1 for ian 'EMM 6f that particular type, for example;, in 

' entitlement bit map tb^ethet with the first entitlement ID, the expiration 'date, and the 
no-expiratiori date flag. 



DNCS 507 ufcesW serial "number to-lbok up the public key for the DHCT 333 in public 
key database 2421, uses the EAID to determine which TED 2425 to use, formats'' the 
information's Squiffed for an EJvflvl df this type, ahd provides the formatted information 
(1 123, 1 125, and 1 127 in FIG. 1 1) via the RPC to TED 2425(i) together with the DHCT's 
15 public key. EMM c6de J 2538 ^hen J vises MD5 cdde'2529 to make a digest of the formatted 

information and uses RSA E/D code 2535 to encrypt the formatted information with the 
■ ! briCT's public' key akd eht^t%e : ditejst with"private'key 2513 for the EX.The 

encrypted formatted information and the encrypted digest are provided to DNCS' 5 07, 
ic ' wh'ich adds whateverelite is ^hecfess^ aiid places tlie EMM in EMM database 2420. 



;? Foi- ah MSK EMM, DNCS 507 receives'the EAId/the DHCT serial number/the EMM 
type, the MSK parity, the Msklb'/^rid any expiration date from EA 2409(i). DNCS 507 
then retrieves the DHCT serial number, formats the information, and makes the RPC call 
as just described. In this case/EMM code 2538 looks in EA Information 2507 fo find the 
25 A MSK coitesp6ndirig T t6 the M£>K ID and adds the MSK to the formatted i^ormation. 
' v Then EltoM cta^^ u 

information. EMM code 253 8 ttifcri uses RSA encryption/decryption code to encrypt the 

•-. -v* r -«-.V J ■. * . 1 , t . - '* r ' 

formatted information with th6 DHCT's public key and encrypt the digest with the EA's 

private key and returns the EMM to DNCS 507, as described above. 

The interface for giving k global broadcast message its authentication information 
requires the MSKID of the MSK that is to be the shared secret and the contents of the 
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, global broadcast message. GBAM authorizatiqn code 2533..in TED 2425(i) ; uses the 
. MSKID to locate MSKE 2525 for the MSK, cpmbi^es, MSK 2521 yvith the? contents of the 
global message (GBAM header 1 807 and glpbj^brQadeast data-^1 809 jin FIG. \ 8), and 
uses MD5 code 2529 to produce the digest (GBAM. MAC 1&P.5), which itretums to 
DNCS 507. v rr 

With messages sent from the DHCT 333 to the EA, suc^uas the. f^rward^purchase 
message, the IP.packet in which thejmessa^p ds^gen^includes the IP.address of the DHCT 
, ,333 which is the source ;Ofthe message, and that jn,t^!n_c^e&.the, serjj&l number of 
DHCT 333. DNCS 507 uses the serial number to locate the.piib.lic ^ey for. DJHCT 333 in 
public key database 242 1 and provides the public key to TED 2425(i) together with 
.; .encrypted envelope key 2103, CA FPN$. message. 21 05^ a^d,F^M. sjsiieg, authentication 
.21 07, from the FP.M- FPM code 2540 then:,^ , . c , , r > .. , . ...... . 

..,.__ r (.l) uses EA public key 251 1 and RSA enciyption/decryption code 2535 to.decrypt 
- } FPM encrypted enyelppe key ,2103; , r ( , >OR . . r r J , i;f .. ,r . : 

c ^ . (2) uses 3DES code 25 and th? decrypted e^d^e. k§y tp, decrypt F^PM encrypted 
r events 21 13; ',. , . 

^ r (3) uses R^A ^crypti^n/decry^tipn 9^;?535^,^| py|?Up, J^ey^^r QHC^ 333 to 
-deciypt FPM authentication 2107; and t - - , 

,: . (4). jr ii?e^ the decrypted ^ncrypted event r s r vv^h^$ cod| 25 ; g^tp prpdyce * new.hash 
which it compares with the decrypted value of FPM authentication 21 07. If this 
r ,Pomparison indicates that the FPM is authentic, TED^4^5<i> returns the4Qcrypte4 events 
, ,to DNCS 507, which in turn forwards them to EA2409/i). , . , , 

• bf $f } MS^s in MSK 25 l^are pn^tpdJb^.TCa nj 
generation simply requires.the.lVj[SKlD,for the new MSK, theparitv for tlxe new MSK, 
and any expiration time. MSK jgenerption code 2$25 jeceiy^-a Fapdom number from 
random number generator 2537 and uses it to ggneraj^ tjie new MSK. Tl^en the M5KE 
: 25 1 5 for the new MSK is made and atfded ^EA^irf^^o^S^ is already an 

MSKE 2525 for the MSKID for the. pew MS^ the ae^ ^S^rcp ? l^es the existing 
MSKE. TED 2425(i) also generates interactive session keys for the add interactive 
session EMM. Key generation is as described for the MSK EMM. Qnce TEp 2425(i) 
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has provided the EMM comem With the encrypted key io DttCS 507, it overwrites the 
area in memory 2505 Where tifie ihter&ctive session Icey was stored. 

CAA TEDs : '" !::;r 'v^ Vio ■ J - ' - v 1 " - / 

5 CAA TEBs 2427 have the sam£ hardware as EA TEDs, But in the preferred embodiment, 

' they only fencrypt%feCAA^WK*s''uted to establish an entitlement agent in a DHCT -33 3. 
EMM encryption is done exactly as described for EA TEDs. The only keys required for 
encrypting and authenticating CAA TEDs are the DHCT 333's public key and the CAA's 

^private 'k6y. ; They* therefore tieefl only " store one of the three public-private key pairs that 
10 1 ■""< represenrthe ; CAi\: f he'CAA jiubliib-private key pair is generated elsewhere^ The private 

'key is encrypted usihg : a ; p^s phrase thiit is provided to CAA TED 2405 along with the 
key pair. CAATEi^ttieiV^ and stores the decrypted private key. 

but not the : pass ph£s£rhi itf€*m6ry 2505 ; The encrypted private key, but not the pass 
phrase, is stored iri^ridrypfed entity information 24 19 in DNCS 507 as well. 

ji Atithenticating Data :' for Applications Running on DHCT 333: FIG. 23 ^ 
The foregoing has ' f diytl6s^n6v^c^jiditi6nd access system - 601* uses the conditional 
access authdrit'yVthe ^ DHCTSE 627, and transaction encryption device 

603 to provide security T f6r \(h o'wA'operations and for the keys and entitlement 
20 1 infoitoationTeqiiifed to*dec^pt r an iffstance of a service. Another function of conditional 
• access system 601 is that Of ensuring secure data downloads for applications executing on 
1 ' DHCT 333 1 T : heVe &r ( e v&cf pathS^y vvhich data may be downloaded : ( 1 ) in an MPEG-2 
stream via the high bandwidth path running from SEES 619 via transport network 5 1 7 to 
HFC network 521 to DHCT 333, and (2) in IP packets via the lower bandwidth path 
25 -ruiihihg ; fit)itt ; dontrbi Suite 607 vfa LAN interconnect device 6 1 7 and QPSK modulator 

621 to HFC netwdrk 521 1 aii(TDHCT 3^3. ''" * " ' 1 " °' ' ' ' W 

As with the data used in conditional access system 601 , there are two aspects to the 
problem: security arid' authentication. Security may be attained by encrypting the data. In 
30 4 the case of data delivered by the high bandwidth path, encryption may W either by DES 
using an MSK when the data is intended for all DHCTs 333 having a given entitlement 
agent or by means of the public key for the DHCT when the data is intended for a specific 
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DHCT 333. In the case of data delivered .via th^ Jower ba^dwdth path, the data is 
addressed to the IP address of a. specific DHCX3fP.atid 4 may be encoded with .the public 
key of the DHCT 333. In the case of encryption with a MSK, the MSK is provided by 
transaction encryption device 603, and, in the case of encryption with the, public key of 
the DHCT 333, transaction encryption device 603. cai\ provide the key or do the 
. encryption itself DHCTSE 627 contains the keys needed to dq the ( .necessary, decryption 
in DHCT 333. , . . . , , 

The authenticating entities in conditional acce^s.s^e^ the conditional 

. access authority and the entitlement agents. Authentication of downloaded. data is done in 
t \h$ same fashion as in EMMs, namely by using a Qoe-wgy, ha^ . function to make a digest 
of the downloaded data and then encrypting, the digest \yith the private key of the 
authenticating entity to make a sealed digest, in prewired ^ jsmbodiment, the sealed 
digest is made in transaction. encryption device 6Q3. ^^pyvnlo^aded data arrivesv 

15 in DHCT 333, DHCTSE 627 uses the public key of the authenticating entity to decrypt: 
the sealed digest and then uses the one-way h^h ( fl^tj^ dovyiUqaded 
data. If the downloadedjdata is authentic and ha^i^pjt J^?^^]^ 1 ^ 1 ^^^ u^JJW^i - - ■ 
decrypted sealed digest and the result.of hashing the ijvtfce one-way ,hash iyaction t 
will be equal. It should be noted at this point that the ^utlie^ti^tipn is f done not by the 
originator of the data, but rather by a CAA or EA.that i§ known tp.th^^igitaL broad, band 
delivery system. Moreover, because the CAA or^j^^i^^tao^lo DtJCJ 333, 
downloading of authenticated data to DHCT 333 C|^ t £p<^ of the 

user of DHCT 333. , , f ' . 

ri:b?7- / -..rsJ / ■ . • r. ; : ■:..« i-r.s T1VHC ir.c iio'-viin .?- ; ( 
There are many ways of relating the authentication to. the data being authenticated. .One 

way is to use a GBAM as described above with reg^d to FI^G. 2.p<. In.sueh.a case, the 

GBAM payload 2003 would be the digest for the data being downloaded and entitlement 

agent 2005 would encrypt the cligest with its private key f a^ w^ll .as piaki^g a digest using 

payload 2003 and a MSK. Another way is to simj>ly ^end a jne^sage. via the MPEG-2 

transport stream or using an IP packet that contained^ authentication portion as well as 

the data. 

; .« • ?]■.:. ; ; :k^ /v^i'.:a: ?.i/e*. r;- « 

■ . " * TO V ^. J C'^^ : 
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One kind of data that can be downloaded using the above techniques is code to be 

executed by the general purpose processor in DHCT 333. The memory used by the 
, processor includes a portion\which is flask memory. That is, the memory cannot be 
: written iq like ordinary Writable ^memory , but can be rewritten only as a whole. Such 
! -memory is typicajjy used. to, ihoidwdownloadable code. FIG: 23 shows a message- - 

containing downlpadajble poder. ;Gode message S2301 has two parts: authentication part 
:23Q3 A and cod^ pact 230.5..: ;Cpde part.2305 contains encrypted or unenciypted^cbdev as the 

situation requires. Authentication part 2303 contains at least twb items of information: 

authenticator identifier (AID) 2307 and sealed digest 2309. Authenticator identifier 2307 

• "i_ ^ a i-tfN ---y^Vk jM; :n noi;*&ii\r , ' ••cu . , \i . J> '< " - , ~ CI": 
is the CAAID or EAID for the conditional access authority or entitlement agent that is 

authenticating code 2305; sealed digest 2309 is made by hashing code 2305 in a one-way 

hash function lo make a digest and then encrypting the digest with the private key of the 

CAAor EA thafis authenticating the code. SD 2309 is produced in a preferred 

■ ; -?v : V- r "'w • ; , . ; ''i-'<--«"£ ^ '• - " ••• ■' --U ■ n 

environmeni by a transaction encryption device 605. 



Code message 2301 can be sent either in a MPEG-2 transport stream or as an IP packet. 
u&^lS 2301 may^be.broadcasjLtp any; DHCT 333 that has the authenticating CAA or 
^a^|Wy.jbe ; ^^tQja.§p^^c.l?HC^--333; In that Case, the packet(s) carrying code 
_ -\M *?9J will include an addcess for; DHCT 333. In the preferred embodiment, the 
20 , . addijess is DHCJ 3331s serial number.; When code message 230* arrives in theDHCT 

33,3 for^vvhich it is intendedj Cpde, executing, on the processor performs the one-way hash 
2c :^ incl i c ^ 9 n 99 de : 2 AP 5 F^^:MPy? d . e s- t he.result together with AID 2307 and sealed digest 
vsJaj^^^iHg^f^dMS^I 627;uses ; AID 2307 to locate the publickey for the 
: : - CAA.or IAf &^M^.Mi?tpyblicckey to decrypt sealed digest 2309: Fihally^it C 
25 . compares. the, hash value i^jdecrypjed -sealed digest 23.09 with that-provided by the'eode 
t executing on the, processor v and* M they are ; equal,. DHCTSE 627 signals' fhaMhtf bode has 
.b^nauthenucated.,_. :r : ■■-■■•■n :lo.rs; ;:o T. ' ■ :n.-; - .. c'.. 
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Public Key Hierarchy (Fig. 28) 



O: i^- w< t*J ; . * I-. 



The .various elements of Jhe .system described herein foJlectively implement a public key 
hierarchy 2801 within the network. -This is advantage&us^because Stich-k^hierarchy can be 
used.to.establish the "trust chains" that support scalria^tf and Spontaneous commercial 

; :r jnteractipn between DHCTs333 t arid othernetworks tfcat employ -public key-b^sett : 
. security, such a§ tjhe Internet, it can also be used*© ttt&Blisli^ust iti Uset' coftftrifei-ekl 

r jn^ractions'wijh-thje- DBDJ5 SOL.* ;r« * > rzq no:JC3i:ftvsi! * t 



FIG. 28 shows the hierarchy of public key certification in the X>BDS. Th?re are two 

• ahsoJ ;.U'V.:. ifnu.. f T>r - -in * ;\ ; . OcbiO, ;.»; to! '..if /\JT in •..:»/-./■. j s *ii 
independent ''trust chains" shown. On the left hand side is the "DHCT chain", which 

10 ' establishes the validity of the public kevs associated with PHCTs 333 and enables trusted 

uU'io /t.i ^j'l.-. • . %A It* * u • .x v / *j u: a ?:fa. cnoi/;<;j* u 

use of digital signatures made by the DHCT 333. On the right hand side, i$ the "Operator 

chain* which establishes the validity of public keys associated with the network operators 

and the subtending EAs within each system and enables trusted use of signatures of these 

entities. 

: *bc<.: -.1 r. *c ^ j : * •■ i^Lb -id 1 0-;;. ^yr.?:^iv: ^bo J .:. 

15 Xhe JDfHGTn signature 2806 may be used^£des£r^ t 

-.. , -messages sentcfrom the DHCT 333* Howefv^rjfor 1 fei^lent^Ho^ ablef ft?trust°sucfi > 
.< Jt ; PHGT signatures as 'authentic they mus£kn6\tf WitR r ce^ 

f JO; be associated with DHCT. 333 is in fact the m&KHy ^idh^itikfcff^^nh theiDHCTs 
r. h private key. This is accomplished by certifyihg' th^DHGT eertifidhfe 2S0iS v with ihe 
20 f . r . 2 facto^ptogrammer certificate authority '^PG A)" iigrt^fe- s The-'f'Pfc/? gnatiire be 
^ trusted because reference can be-maae^ Dki§T te^ificates 

250(& ^ndithe FPCA signature as weU'-as<the FP€ A cfertiftca^280$ ^pTfeferably made at 
, the manufacture-time of DHCT 333 in 6 secure A^SyP Since time 
v i .; tQ .issue new. FPG A certificates and use^new FPCA signatures; feach-FPCA certificate is 
25 also certified with a signature of the DHCT Root which may have its 6vm certificate 

2804. Said DHCT root certificate 2804 may either be self-signed or may be certified by 
another authority. DHCT root signature is preferably administered in a highly tamper- 
resistant device, such as one that meets the requirements of FIPS 140-1 Level 3 
certification. 
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In the operator chain; the various '£ A certificates '2803 are used to make signatures in the 
manner described elsewhere" herein. Likewise, the Operator CAA signature using the 
Operator CAA certificate 2802 is used to certify each EA signature as described 
previously herein. Above the operator CAA signature, two Root CAA signatures may be 
5 used to introduce an operator CAA 2802 to a DHCT 333 in a secure way. In fact . 

preferably at manufacture time, there are three Root CAA public keys placed intathe 

secure NVM of the DHCT 333. Then, authentic messages from any two of the Root 

>::-: ..k/' ) **"*. >*:•• c v.:s • 5ii.;rn';j *; - - : *- ■ / - •■'...> . 

CAAs may be used to replace the, third Root CAA public key with that of the Operator 
CAA whosg key is certified in Operator CAA.^certificates 2802. The Root CAA is „ 

l<r preferably administered by the manufacturer in a tamper-resistant device that meets or 
exceeds the requirements ofFIPS L40-1 Level 3 certification. It is possible,. however, 
through an appropriate : sequence^of messages, to change all of the Root CAA, public, keys 
to be those of other CAAs that the manufacturer has no control over. It is thus possible to 
remove the manufacturer from the signature chain. In this case, the Root CAA can be 

1 5 some other organization approved by one, or more .operators or it may be administered by 

an operator. 

: As-sH6wft in FIG.' 28 and described eTsewherc herein, each operator may Have a plurality 
of EAs. In a preferred embodiment, there is a different EA and an associated feA : 
certificate 2803 for every operating site of any given operator. This ensures that DHCTs 
20 can not be migratecl betweetf Operational sites withouVthc knowledge and participation of 

the operator CAA signature J : : r - " 1 

, „ JK g *^ is not required to operate the 

nprmal. conditional, access gncj sleetpniq activities r>f the operator. However, the operator 
may desire, to. link itf signature chain into a larger chain to be able to participate or have 
25 T r DHC r.T s 33 ? P^I^R^ i^ transactions Jnyolving entities outside of the operator 1 s e DBDS. 
In tWs case, the signature ^ ch^ins. may ibe^eadilyjinked to those of geo-political C A and 
its signature 2807 by bayirig the public keys of one or all oftthe DHCT root signature 
2804, the Root CAA signatiy-e 28Q8 or operator CAA signatures 2802 certified by the 
, geo-political C A signature. This i ? :. a 59!?roplished by having a certificate placed in a: 
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database for each of the public keys associated with, signatures 2804, 2808 and 2802. 
Said certificate is signed with the private key ; of the^geg-pqlitical CA 2807. . 

' . * * r * ' *" ' -sj : ,: .1' o-^ ;i - ; r.^- >-> ■ •* ' t* f O 

• FIG. 29 shows an EMM generator 290 1 . As described elsewhere herein, it is preferred 
5 that DHCTs 333 that are operated by ^different* bperators'in different DBDS instances are 

xbrttrolled by an operat6r CAAthat is specific to t^at operator Md'sysiem. < Since DHCTs 
333 at manufacture time are* not cbnfigured'to be controlled by any operator CAA, but 
■ 0 instead are controlled by three Root CAAs the piiT&fic keys 6f which are placed in the 
memory of the secure processor during 'manufactiire^tiiey must'be reconfigured for 
10 control by different operiatdrs. This must be done securely. As described elsewhere 1 

herein; messaged bearing the digital signatures of two of the ^ Root CAAs can be used to 
v - recorifigure the terminal with r respect\o t^e 'third CAXV'The EMM generator 2901 is used 
to produce one orthe two messages heeded fo introduce a new Operator CAA public key 
in a certified way to the DHCT 1 333^ DHCT piiblic ley"c6rtifi^ates 2902 are input to the 
15 l<* EMM generator so that it miy kno"w for which Slitff s messages are^o be made! The - 
DHCTs that will be controlled by a specific operator may be placed in a separate "fiVe 'of 
the input device or may be associated with,an operator. in pth,er ways <plean to/those^illed 
inthe^rt. _ . v ■ ■ . » > „. .. . - 

20 ^ Prior to generating introductory EMMs 2903, ce£ificd,puhl^ : > 

operators served by the EMM Generator 2901 arc loaded into the public key^memppy 
2904 of the EMM Generator 2901 . Thus, when EMM generator 2901 reads input of 
aDHGTs needed to be ihtroduced c to Operator f Xrd^H£KS^^f^kSr If^'fii^pt&fic key of 
TCjr^eperatorA read'from^memdry 290446 produce' ''^W^li3^S^Sii^ , ^^6 ■ 
25 ■- ' ©peratoii A. -Likewise, p^Hor lo gerieralrng iritrodiiCto^lENi^^ i^C^ 'flie'pnvSte keys of 
.:■(" the Root CAAs muSt-be loaded into the' pnvatelfey^meiftbry' 2905 : of the EMM generator 
L i, 290-1 .'c-Said EMMs are digitally signed by-the E^Kl'Generatcrf 2$01 using the private 
Jceysrof the Root CAAs J contained iA memory -29CB1 -sihee' private 1 signing keys are * 
^contained in menSory»2905 df EMM Generator 290l; : the EKlM Generator 29M'must be 
30 implemented in a secure fashion that |lrevents : discov6ty of &e : values of the Root CAA 

private keys stored in memory 2905. EMM Generator 2901 should thus be implemented 
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in a tamper-resistant device which meets the requirements of FIPS 140-1' Level 3 or 
higher. 

Since two Root.CA^ private kgy^s must be used to sign separate CAA Introductory 
. EMMs 2?Q3, ttere .are prefe^a^ two EMM Generators 2901 implemented, one^ach for 
each of the two Root CAA private keys. It is also preferred that EMM generators 2901 
are operated ip sep^t^ph^jsic^, facilities. . , . ;*.i : ,.v.? 

The Detailed Description of a Preferred Embodiment set forth above is to be regarded as 
exemplary and not restrictive; 'and 'the breadth of the invention disclosed herein is to be 
determined fro claims 'as interpreted with the full breadth permitted by the patent 





78 

SUBSTrWjTE SHEET (RULE 26) 



„ WO 99/07150 PCT/US98/1 6145 

What is claimed is: . 

i ... 

1 . A secure element for use in a receiver that receives messages addressed to the 
receiver, the messages having an encrypted contertt^and'bemg sent on behalf of an entity 

5 "that determines Whether the receiver-has access to ttisfeHbefc t>f services recbivbd in the 
r receiver, the secure element eomprisihg: ? ' nYnc ^ A -■ >« ; "'- iJ • * - 

non- volatile memory wherein is stored a pu&ifc Ice^pn kdy* pair for the " 
receiver and a public key for the entity; „ . „ 

processing apparatus coupled to the non-volatile memory, the processing 

;;rjf;.: f . : ' ' "v ■ .v. . .v. - : : ^uj-:.- . • 

10 apparatus including apparatus for decrypting and authenticating the messages and for 

decrypting and authenticating receiving the message content and using the private, key for 

the receiver to decrypt the message content and the public key for the entity to determine 

whether the message content is authentic, the processing apparatus not responding to the 

message content unless the message is authentic. 

15 

2. The secure element of claim 1, wherein: 

the entity is a conditional access authority that authorizes an entitlement agent to 
grant an entitlement to the receiver to access at least one of the instances; 

the message is a first message whose content includes a specifier for the 
20 entitlement agent which is being authorized; and 

when the message is authentic, the processing apparatus responds to the message 
by storing the specifier in the non-volatile memory. 

3. The secure element of claim 3, wherein: 

25 the message is a second message whose content includes a public key for the 

entitlement agent; and 

when the message is authentic, the processing apparatus responds to the second 
message by storing the public key for the entitlement agent in the non-volatile memory. 
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4. The secure element of claim 2; ? whbrein: 

the message is a third message having eContent that includes limitations on the 
number and/or kinds of entitlerii^iit^ graiiM by ifib entitlement agent; and 
r when the message is atitfiemicj the processing apparatus responds to the third 
5 message by storing the limitations in the non- volatile memory. ■ 

5. The secure element of claim 2\ wherein: 

the non-volatile " : ifteHibr^ divided into %ells; * 

the message is a fourth message whose content specifies a number of cells; and 
io 1 when* the menage is authentic^ the processing 

allocating th ! e : 'specific riiimber of cells to the entitlement agent. " 



6. The secure element of claim 5, wherein: 

the content of the fourth message further specifies names for tKe cells specified 
15 therein; and v ); 

y - when tfre message is' authentic, tfie processing apparatus responds thereto by 
allocating the specified number of cells to the entitlement agent by name. 



7. The secure elemetit bf claim 5* wherein: 
20 when the content of the fourth message is authentic and specifies no cells, the 

processing apparatus responds thereto" by deallocating all cells belonging to the 
• erititleri&ritT atgerifkftS^em^hg tfe entitlement agent's specifier from the non-volatile 
memory. 

25 8. 1 ; ii^cnire "t^h^6fMmi 2, wherein^ ' 

the message is 1 a fifth message Whose content specifies removal of the entitlement 
agent from !-&e ! sei^r^'8ieWeni^^d ~ ' * 

when the conteht'ofMd iififfii' message is authentic, the processing apparatus 
responds thereto by removing the entitlement agent's specifier from the non- volatile 
30 memory. 
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9. The secure element of claim 3 ? wherein: 7 , n _ >v , ; , 

the entity is the entitlement agent; and ......... v - 

the message is a . sixth message that s^ecifie^the entitlement agent and whose 
content controls access to services received in the, receiver on behalf of the entitlement 
5 agent. 

* ; v •? ••. ti .» . ■ * *l " ICfJL -/'•'. i V.:.: ! . \ : . \. in:. 

10. The secure element of claim 1 , wherein: , a , 

the entity is an entitlement agent that grants an entitlement to the receiver to 
access at least one of the instances; and 
10 . ^ the message is a seventh message which .specif and whose 

content controls access to services received in the receiver; gp b^l^of the entitlement 
agent. 

11. The secure element of claim 10, wherein: , - t + 

t.-jf.; y- :« - " w /.„ .^nhiJi o\.^^f 'w-;-;;c.-: snJ ?nr-.r:o:i t.. ; 

15 the instance of the service is encrypted; t .i 

the content of the seventh message fjurther incjydes a lopg-tern^ ,^y #sed in 
decrypting the instance of the service; and . * , -v. f f 

when the message is authentic, the processing responds to the message by storing 

the long-term key in association with the entitlement agent - ^ : 

20 . ' 

ar.j .i ' ■ • ~s ■ ■ ■ : :';^jei sr 1 : ro Irt-raoo sfij rr ..// 

12. The secure elcnjent of claim 1 1. wherein: . 

. ( the receiver further receives a globaU^^ i?^.em.jpn behalf of 

the entitlement agent but not addressed to any particular receiver; 

the global broadcast message includes a global broadcast message content and a 
25 digest made from the global broadcast message content.ajjd the lorm-term key; and 

Ac apparatus for decrypting and au^henticatmg ^^^ltic^te^^ .global broadcast 
message by making a new digest from the contend Mdj£^ in the 

secure element and comparing the new digest wi^j^herjiigest^^ 
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13. The secure element of claini ii; wherein: 

the receiver further receiVes a~giobiai broadcast message together with the 
encrypted instance of the service,' tke global broadcast message including an entitlement 
reagent' Specifier for the entitl¥m6AtUgeiit ahid an encrypted short-term key derivation value 
5 n fr6m whicti a short-term £ey foi- decrypting the encrypted instance may be derived; 

the receiver provides the entitlement agent specifier agent and the short-terni key 
derivation value to the secure element; and 

the processing apparatus responds thereto by using the entitlement agent specifier 
n to locate the long-term key Wociatfcd with the entitlement agent and using the long-term 
10 key with the apparatus for decrypting and authenticating to decrypt the short-term key 

: ' derivation value, deHving th6 shdrt-term key therefrom, and providing the short-term key 
totheTeceivtr. ' v - 7 ° fi * r ' v " K " T " ^ : ' : 

. . - j-- 

14. The secure element of claim 13, wherein: 

15 the global broadcast message fitfttier includes an authentication value for 

authenticating ttife giobki broadcast message; and 

the receiver further provides the authentication value to the secure element; and 
- the ! prdcessing respo^cfe^theretb By using the authentication value with the apparatus for 
decrypting and authenticating to iu&enticate the global broadcast message. 

20 

15. The secure element of claim* 131 1 wherein: 

* r the auth^ticatidh value i§ k digest made from the contents and the long-term key; 

the apparatus for decrypting and authenticating authenticates the global broadcast 
25 message by mlarkinfe a hb^digesffrorri tiie contents and the iong-term key stored in the 

secure element and comparing the new digest with the digest. 

. _ ■ ; /. [z^z .;■>*:;{ : i: ,'-icj - " «".r *. ... . :« o; 

\, i. .. -.7 .1 "1 . 4 . i : " i "3 1 w'ii-i'i! - - - 
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16. The secure element of claim 10, wherein: < . . . 

the seventh message further contains .an eptjtlement.identifier that identifies an 
entitlement to an instance of a service provided J^y^e^ejititlejment agent; and ^ > 

. when the message is authentic, the prgc^ssijjg, apjjaijatus spoils to the : message 
5 by storing the entitlement identifier in the m$jii<ii^ entitlement 

agent. 

V.;y s *i \ . - - f* .... l - ■ • - - 1 - 

1 7. The secure element of claim 1 6,. wherein: , . 

» n the se X^ nth message further contains ei^tl^rneijt information, that further describes 
10 the entitlement; and - fc , 

. wh ?n the message is authentic, the proce^jng app^tys^sgpnds to the. message 

by storing the entitlement information in the memory in association with llje f entitlejnent 
agent. 

15 18. The secure element of claim 17, wherein: r . 

the entitlement information further conta^ tjtye f 

entitlement is to be deleted; and , , . u 

^ v ^ wh £ n * e mes sage is authentic, $e.pr^ 

by deleting the entitlement information from t^e mepior^.^ | Jn ., M - t , fr ...... T - 

20 

19. The secure element of claim 1 7, wherein: 

. t - .r. , rn:;-:;:; r; ;nofru:3 sin •■' : . 

the receiver further receives a global broadcast. message* together \yith the instance 
of the service, the global broadcast message including an entitlement agent specifier for 
the entitlement agent and an entitlement identifier; - . 

25 , . • s . receiver provides the entitlement a^en$ o s^iQpr>gQ|it ^d^ntillernent 

identifier to the secure element; and 

the processing apparatus responds thereto by using the entitlement agent specifier 
to locate the entitlement identifier in the memory, the processing apparatus enabling 
access to the instance only if there is an entitlement identifier associated with the 

30 entitlement agent specifier that matches the entitlement identifier in the global broadcast 

message. 
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20. The secure element of claim 1 7, wherein: 

• the instance is encrypted wth a sHort-term key; 

' the memory contains a long-term key that is associated with the entitlement agent 
and with a long-term key identifier; 
5 the global broadcast message further includes a key identifier and an encrypted 

short-term key derivation value; 

the receiver further provides they key identifier and the short-term key derivation 
' value to the secure element; and 

the processing apparatus further responds thereto by using the entitlement agent 
10 4 specifier and theTong-term key identifier to locate the long-term key, using the long-term 
key and the short-term key derivation* value with the apparatus for decrypting and 
authenticating to obtain the short-term key, the processing apparatus providing the key to 
the receiver only if 'the entitlement identifier in the global broadcast message matches the 
entitlement identifier associated witH the entitlement agent in the memory. 



15 



25 



21. The secure element of claim f, wherein: 

the message includes a digest of the unencrypted message content that has been 
encrypted with the private key corresponding to the public key for the entity; 

the apparatus for decrypting aTnd authenticating includes digest making apparatus: 



onding to the public key for the entity: 

20 and 

the apparatus for decrypting and authenticating determines whether the message is 



authentic by decrypting the digest in the message and making a new digest from the 



decrypted message contend the message content being authentic only if the digest and the 



new digest are the same. 



* IS : X ■ 



22. A secure element for use in a receiver that receives a global broadcast message 
sent on behalf of an entitlement agent, the global broadcast message including 
authentication information produced using a secret shared between the entitlement agent 
and the receiver, the secure element comprising: 
30 non- volatile memory wherein is stored the shared secret; and 

processing apparatus coupled to the non-volatile memory, the processing 
apparatus including authentication apparatus for authenticating the message, wherein the 
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processing apparatus receives the authentication information, uses the authentication 
apparatus and the authentication information to .authenticate the message, and provides an 
indication of validity of the global broadcast message to the receiver only if the message 
is authentic. 



23^ The secure element of claim 22, wherein: 



' >/i fir. v-; 



there are a plurality of the entitlement agents; 

the global broadcast message further includes a specifier for the entitlement agent 
of the plurality on whose behalf the message is being sent; 
1 0 there is further stored in the non-volatile memory at lest one stored specifier for at 

least one of the plurality of entitlement agents; and 

the processing apparatus further receives the specifier for the entitlement aeent 

from the global broadcast message and provides the indication of validity onlv if the 

jj.-.iyV';.,; ./« '...-** . . \„ :f r -"' -ww' /njr vir:?r: ^ ^r. ?: / v:.-^ < .r;/* .■<:.: 

specifier for the entitlement agent matches the stored specifier. . 

15 

24. The secure element of claim 23, wherein: , 

the receiver receives an instance of a service on behalf of an entitlement agent of 
the pluralitv thereof; 

the global broadcast message is a first global broadcast message that accompanies 
20 the instance and further includes an entitlement identifier indicating entitlement tp the 

instance; 

there is further stored in the non-volatile memory at lest one stored entitlement 

identifier for at lest one of a plurality of instances of a service; and 

u-^ni.^ :l y'/.i - \: c H .a u.^i ■ ^,.^n*t Jiisinoo 3gfi?..25frt d:)-c;^tj^j 

the processing apparatus further receives the entitlement identifier from the first 
25 global broadcast message and provides the indication of validity only if the entitlement 

identifier matches the stored entitlement identifier, 

•> kC: ; . > ' :V„ e ' ? ^ 3^.3 '^H 73 J' 1?. J il€ io". - l" , - . J.. : ^ 

.25. The secure element of claim 24, wherein: 

the instance of the service is encrypted using a,short-term key; 

30 the first global broadcast message further includes a key derivation value; 

• ?i :::.j7:;n' ' :< . t. . 

there is further stored in the non-volatile ipemory a long-term key associated with 
the entitlement agent; . 
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the processing apparatus ffirther receives the key derivation value, uses the long- 
term key together with the key derivation' value to obtain the short-term key and provides 
the short-term key ftf ftiie'ri^ decrypting the instance of the service if the 

global broadcast message is valid. 

26. The secure element* bfcA^^v^tm: ^^ ' • ; '-" 5 f : - - 
^ there ^ ate a 'plurality df ibng : term keys associated with the' entitlement ageiifahd 

stored in the' non-volatile memdry, each of the long-term keys being: associated with^ia 
stored key identifier that is stored in the non-volatile memory; 
10 the first global broadcast message further includes a key identifier identifying a 

long-term key; -and 1 - 1 '' 1 "- 3 . r; A ■■<-' ~\ ' • ' 

; L the processing app^atlis : filler receivesHhe kfey identifier and uses the long-term 
' key associated^with a^stored key iHentifienthat matches the key identifier to obtainthe 
short-term key. 

15 \:\ ? .ex.- J r --- r i 3 *— '■-' t * ' : " "■' f; - ' 

27. The secure element of claim 25, wherein: v ~ J ^ - 
the^key 'derivaSon vialue Has been encrypted using the long-term key; 

' ; the processing* ap^^ 

T ! — - the processing apparatus uses the long-term key tod the decryption apparatus to 
20 decrypt the key : derivanon valued r 5 r 5 - 

28. The secure element of claim 25, wtiereiri: l '' 

the shared secret is the long-term key; 

■ . . . '.■ ...... f .•.«••<*■«•"•' r -* 

f* i-r.;r the^authe is a digest made using contents of the 'first gldbal 

25 broadcast message^ahdltiie shared secret;' and 1 ' ^ .:.tt*;..o 

the authentication apparatus authenticated the messigfe by making a hew digest 

using^fhe : contmtsiMA%e , lGbg^tcm key a[nd cornparing the new digest with the digest. 



29. The secure eleirieiit of* claim 24; wherein: ; ' " :< 
30 the global broadcast message is a second global broadcast message that : J " 

- accompanies the r instance and fiirthdr Includes a purchasable entitlement identifier that 
identifies an entitlement to ?the instance which a "'user of the receiver may putcha^e; 
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the receiver responds to the second global .broadcast message by interacting with 
the user to indicate p^ 

.from, the; user by providing the purchasable entitlement jidentifiei;, to the segure element; 

and .bii*> :': *u>/:m: .oh v L.-jo 

5 the processing apparatus responds thereto by storing the purchasable entitlement 

identifier in the memory in association the processing ^ 

apparatus further Jising thp ? purchasable entitte^nt identifier in the san^e-fashion as the . 
entitlement identifier to determine validity ofyhe, first global brgade^st message;. ; 

10 }0>, - • ,;jTie secure-element .pjf. claim 29, wherein;.,,^ :, L ^ ry ^ •{ j 4V < ^ ;? .;; 

the receiver further sends a message addressed to the entitlement agentij- -~,<s\ 
rn - ?! _ yiV ,* . message has contents that include at lea^t^venpryptipxv ofj^purchasable 
r QntjUement identifier, a key for decrypting..the epcryptjon, an^an.eop^ted>digest of the 
contents; , v : ~* 

15 the memory further includes a public key for the entitlement agent and private key 

for the receiver; < <n$tr -Ij szu ' -jo -y : ' Y " r 

the ^ro^essing^ .apparatus further includes encryption apg^ratu?; r and 
the pjoces,sing apparatus recei ves the .cortfepts^ provides; ^ £ur^r<keyj for r: 
. cteciypting, the. enciyption V: vs?s the.encryption appar|ttus 7 ^id .the ^rtterke^to encrypt the 
20 encryption, uses the public key for the entitlement ^ 

encrypt the further key, makes the digest of the contents, and uses the private key and the 
encryption apparatus to encrypt the digest. , r r a3 , r v ; ^ , n . -^T 3 1 

25 determined by an entitlement agent, the receiyei^ending messages jo ^.entitlement 

, ^nt and the ; secure eieipent comprising;. JT ^tsuzc-.s m ?-:*j v i: ♦.• . j 
> i: n^-volatile memory wher^n is^tored^.g^ 
receiver and a public icey for the entitlement agent; 

processing apparatus coupled to,, the non-yalatHe, memory, the processing r 
30 apparatus including apparatus for encrypting* : the j^vatgs JR^r, encrypting^responding to 

pontent of a given message by making a digestif the content and encrypting the/iigest 
using the private key for the receiver, encrypting the consent yyith.a further key, r . 
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encrypting the further key with ar public key for the entitlement agent, and returning the 
encrypted content, the encrypted digest, and the encrypted further key to the receiver for 
inclusion in the mesSage; r f! jr - H ' ' ' < • 

32. The secure element of claim 3 1 , wherein: 
the secure elem^nWlrlmpleitignted iri ai module which is separate from the 

remainder of the receiV^^^ 

33 . ' A Service brigirfatioii component included in a cable television system for securely 
transmitting to a service reception component, the service origination component 
comprising: 

a transnctidh dncVyptioif device for storing a private key for an entitlement agent 
that is included in the cable 1 teleViiiori system instances of service to the 

service reception component; and 
1 5 a controller securely linked to the transaction encryption device for encrypting 

information^ usirig ttfe private key for subsequent transmission to the seWice reception 



10 



25 



34. The service origination component of claim 33, wherein the service origination 
20 component comprisei T table television head end Equipment. 



35. The service origination component of claim 33, further comprising: 

a processor coupled to the transaction encryption device for processing data using 
a secure hash fuhbtioh to generate ffie info 



36. The service origination component of claim 33, further comprising: 

: the entitlement agent coupled to the controller for generating an instance of 
service; * - 

a raAdom number generator for generating a multi-session key (MSK); 
30 a processor coupled' to the riandom number generator and the controller for hashing 

the instance of service and the MSK in a secure one-way hash to generate a digest that is 
included as a part of the information. 
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37. The service origination component 9f claiijt, 3,6, further comprising: 

an encryptor coupled to the controller for,furtiier enciypting .the information using 
a public key associated with the service reception component^prior to transmission of the 
information. 

3 8 . The service origination component of claim : 3.6>, r jft^^ ; £omprising:, . 

a message generator coupled to the processor fQr K £enerating an^ntitlement ,. . » . 
management message including the digest, wherein the entitlement management message 
is encrypted by the processor using the private key to. generate, the information that is 
transmitted to the service reception component. 

■:ni;;nq.. ; 

39. The service origination component of claim 38. wherein the entitlement 
management message is further encrypted usin§ a.gublic r key .of tJ>e servicq reception . 
component. - . 

40. The service origination component of claigi 33, f^r|^^c ^^^^pffJjpSr- * ^ 

conditional access authority establishment apparatus for establishinfe^^n^itional 

access authority. 

20 41. The service origination component of claim 4a whejein:, - _ 

the transaction encryption device further stores a private key of the conditional 

access authority. . f „ 

; v ' . «. . , . . .. ' ; t '>o : {.i.-e'"/!::. c -*^'. ,# r:2 ; * :c 

42. The service origination component of claim 41,, fuxthjer cp^rising;^ 
25 a message generator for generating a message comprising a public key of the 

entitlement agent; 

an encryptor coupled to the message generator foj* encryptingrthe message using 
the private key of the conditional access authority; and 

a transmitter coupled to the encryptor for trammittinjg the message to the service 
30 reception component that is intended to receive the instances of service from the 

entitlement agent. 

t r:: ; . : , .i • - ■ :.A -ri' w r; r; . • 
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43. A cable television system for providing secure transmissions, the cable television 
system comprising: 

an entitlement agent forgerierating instances of service; 
:r - a service origination con^orierit including: 
5 a transaction encryptibri d&Vice for storing a private key - for the entitlement ' 

agent; and ! 1 ' * 

a controller securely linked to the transaction encryption device for encrypting 
information lising the privktfc key for subsequent 

' a service reception component for receiving the information and for decrypting the 
10 information using a public key of the entitlement agent. * 

44. The cable television systditir of claim 43, wherein the service origination component 
comprises cable television head' enfd'equijimeht. 

15 45. The cable television system of claim 43, further comprising a transmission medium 

coupled Between the's'efVibe 4 brilgiif^tion Component arid the service reception component. 

46. The cable television system of claim 43, wherein the service reception component 



20 



comprises a cable television set top terminal. 



47. The cable television system of claim 43,, wherein the service origination component 
further cofripnses: J " 

a random number generator for generating a multi-session key (MSK); 
- rn :u 2 prbcessctf co^jpie'^^^e'i^riddni '"number generator and the controller for hashing 
25 an' instance bf service aiiH tffe MSK in a secure one-way Tiash to generate a digest that is 

included as a part of the information. 
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48. The cable television system of claim 47, y/herein the service origination component 
further comprises: ' r , . 

a message generator qoupled to.th^ t propessor ? fpr^enerati 
management message including the digest, ; w^erei^ message 
5 is encrypted by the processor using. the private. kpy 0 tc) r generate the information that is 
transmitted to the service reception component. _ 

49. The cable television system of claim 4$, w^ereiq tb.e^ntitlement manag^njept t , j 
message including the digest is further encrypted u^jftg a pubjip key .of the service 

10 reception component. . , ■ . , • f . . 

, .JO.^ The cable television sysjtem of .claim 43* ^f^^co^ppsing;.., ^, h . ,. L 
conditional access authority estabHshmpnt ^p^^tu?r fpr establjshi^g!a t . conditional 
access authority. 

5 L The cable television system of claujyiO,.^^^ 

of the service origination component further stores a private key of the conditional access 
authority. . . i „ t _ 

20 52. The cable television system of claim 51, wherein the service origination component 

further comprises: 

a message generator for generating a message comprising a pubjic.ke^y pfrhg./, .* 
entitlement agent; 

■ w*r -o? ?vWI*?F coupled to the ™ es sage ge^ the 
25 private key of the conditional access authority and a public key of the service reception 

component; and . 

a transmitter coupled to the encryptor for transmitting the message to the service 
reception component that is intended to receive the instances of service from the 
entitlement agent. 



: 91 

SUBSTITUTE SHEETXRULE 26) 

BNSDOCID <WO 9SO7150A1 I > 



WO 99/07150 



PCT/US98/16145 




RNsnocm <wo oqo7i&oai. » > 



... WO ,99/07150 PCT/US98/16145 

2/21 




BNSOOCID <WO 99071 SOA1 I > 



WO 99/07150 



L 

PCT/US98/16145 




BNSOOCIO <WO 99071SOA1 I » 



WO 99/07150 



PCT/US98/16145 




BNSDOCID <WO 9907150A1 I > 



WO 99/07150 



PCT/US98/16145 



5/21 




BNSDOCID <WO 99071&OA1 1 > 




BNSDOCID <WO &907l5OAt l > 




BNSDOCtO <WO 990715GA1 I > 



> 

WO 99/07150 



PCT/US98/1614S 




BNSDOCID <WO 9907150A1 I > 



WO 99/07150 



< 

PCT/US98/16145 



9/21 0 




RNRDOCH") <WO 99071SOA1 I > 




BNSOOCID <WO 9907150A1 I > 



WO 99/07150 



PCT/US98/16145 



12/21 



now INTERFACE 
1 ZUJ ^ TO DHCT 



1207 



120W 




1409(1) 



1333(2) 



>4'333C3)- 

. r ¥401 



Risjsnnr.in <wn ogo7isnAi i > 



WO 99/07150 



< 

l>Ct/US98/16145 



13/21 



r 



NVA 
STORAGE 
1303 



r 



RO 
STORAGE 

1301 



1319 
1317-^ 

.CODE 
I3l5r 



1305 



-EA INFO 1 333(n 



,¥ i 



L 



EA_ INFO J 333(f) 



GAA DATA 



'4- 



1330; 



s ACAA KEYS 



DHCT KEYS 



CODEFOR -OTHER-£A- MESSAGES 



-£CM-CODE 



-EA MSK CODE 



£A-A0M1N.. EMM CODE 



CAA EMM CODE 



_ _ :i£i_ll^:CODL v 



M311- 



Itqqz ■ * 



RSA._C0DE._ _ 
MD5 CODE - 



1 l 309 

i 



i V 



- 1207 



1503-j* 
1505-p 

1-507:-^ 

c»\tr 

151 3 

15!l5Mz 
,..1517^ 
"1519- 
; 1521-^ 

1525-r- 
1 527 - 



CELL STATUS 



M308 
1501 



FIG A3 



EA 
STORAGE 

M331 



^1329 

. ADMIN. 
STORAGE 
>H330 

M325 
1323 

M321 



< 



.EMM 
CODE 
M313 

ENCRYPTION 
►DECRYPTION 
CODE 

1307 



-CELL TYPE 



"CELb NAME 



mi. 



EA ID 



CAA FLAGS 



.FIRST. MVSC 



•EA MAX.. 



.- . DHCT FLAGS 



STORED CRED. LIM. 



X COORD. 



;.:y coord. 



PIN 



r7 - -EA PUBLIC KEY 



-HEADER 
-1502 



< 



CAA FIELDS 
M506 



< 



- EA FIELDS 
-1516 

^™ FIG. 15 

4 — 1506 



EAD 1409(0 



PCT/US98/1614S 



14/21 



1603- 

1605- 

1607— 

1609- 
161 1 — 

1615- 
1617- 

1621- 

1627- 
- 1629- 
163T— 



HEADER 



MSK ID 



EXP. DATE 



NO EXP: 0ATE-- 



EVEN-M5K- 



ODD MSK 



-1502 



MSK NVSC 1601 



HEADER 



FIRST ENTITLEMENT-ID. 



EXP. DATE' - 



NO EXP. DATE 



BIT MAR 



\msk1 

-^-1608 
-1502 



... ENTITLEMENT' BIT MAP NVS C 1613 i 



-v.HE-ADERi; 



•ENTITL-EMENHD- 
- &?: DATE— 



Hie 



r-NQ- EXP. flflE- 



It 



-V625 



J J-' 



.V-J ■ v' 



j(; ) 



1603- 

1605- 

1607- 

1609- 
4611- 

1 62 1 — 



1705- 

1 707- 

1709-^ 

1711- 
1713- 



-ENTITLEMENT iilSJ .NVSC ... Wi ..! 

1562 



HEADER 



MSIHD 



EXP. DATE 



NO EXP. DATE 



<■, >EVEN ; MSK 



ODD MSK 



* BIT MAP 



Wit 



CQMBINA110NL MSI^'AND. BJJ-MAP-f^' 




} READER 



FLAGS 



-PURCHA5RIMF 



" EVENT: TIMET" 



COST 



ENTITLEMENT-ID" 



VitVENT DESCRIPTOR 



'A: 



F/G. 1 7 



EVENT -NVSC- iTflf- 



WO 99/07150 PCT/US98/16145 



15/21 

r 805 



CA_MESSAGE 



GBAM 1801=1803+1805 



T,.-i. 



CA MESSAGE 
"READER 

><-ini 



^1003 



^803 



CA_GBAM_MESSAGE 



1805 



GBAM MAC 



i 



/ 



■ .'0' 



\ : / 
\ 

\ 

\ 



MD5 0 - \ 



ECtf'MAC INPUT 
•'- 



\ 



GLOBAL BROADCAST. AUTHENTICATED. MESSAGE 



\ 

\ 



GBAM^HEADE^ 1 



-GL0BAL6R0A0CASL DATA . 



J' -• 



-1807 



7m r ^1809.. 



1/2 MSK 
^1015 







— 1901 




Ihl'CA SYSTEM ID 


- /.GBAM TAG 




| 1905 — 


- J3 ,; ■ ' .; EA ID ). 


; 


i J9Q7-d 


~:Y.?;~ MSK PARITY 




f— 1909--=^ 
1— 1911 — 


<0 -MSK SELECT/ 




- .'COMMAND. CODE 





i - , 



GBA^IEADER " 18 07 



1.917- 

-191 9r 

—1921- 

:m;923— 

1925 - 

..J 927.-: 

,• .192?- 



ENTITLEMENT-ID-'- 



FLAGS 



NO.-: OF MODES 



•MODE-RIGHT TO COPY 



EARLIEST START 



LATEST END 



MODE LENGTH 



MODE COST 



-1915 



) PURCHASEABLE ENTITLEMENT DATA 1913 



Flaw 



BNSDOCID <WO 99071SOA1 » > 



WO 99/Q7150 



PCT/US98/16145 



16/21 



:2001. 



" SERVER 
APPLICATION 



GBAM 
PAYLOAD 

2003^ 



APPLICATION, miJUSWiL. 



2007 



CLIENT 
.APPLICATION 



GBAM 
-1801 



— GBAM-- 

1801- 



EMTITLEMENT 
AGENT- - 



-2005 



Li' 



2009 



ACK 



DHCT SE 



: -E1G. 2Q, 



627 





--CA-5YST-EM .' Lli: 


\ ; .2203-- 


CA MESSAGE TAG 


2207 — 


EA ID 


2211- 


MSK PARITY 


2213— 


MSK ID 


2215- 


CW PARITY 


22t7- — 1 


j! PARITY COUNT : 


2219- 


- i FREE >. PREVIEW ~r "- ' 


2221— 


COPY PR0T. LEVEL ^ 


2223- 


! BLACKOUT /SPOTLIGHT ! — r-" 0 ? 


2225— 


■ NO.-vENIITLEMENT ID's-f^ 

■■ — * ewi 


2229- 


- i LC -ALLOW W. J — ■• ■• ? •: 


2231 — 


^rARCf^: WINDOW 


,. , 2233- 


TIME STAMP 


<)■'. "2235— 


'CONTROL WORDT COUNTER-VALUE 


2237- 


- • BLACKOUT RADIUS" — r 1 1 r 


2239— 


■u X CENTROID 


2241- 


• Y-1CENTROID- 




ENTITLEMENT ID r 




-. . : - :^®45 



j/2205 
rSiESSAGE ID 



} DECRYPTION INFO. 
X 2209 



EVENT INFO. 



J 2227 



I BLACKOUT/ 
ISPOTLIGHT INFO. 

<2236 



I ENTITLEMENT 
ID BIT 



2243 



: m:22 



BNSOOCID <WO 9907 1 SOA \ I > 



WO 99/07150 



PCT/US98/16145 




BNSDOCID <WO B9071SOA1 I > 



WO 99/07150 



PCT/US98/16145 



18/21 



23 0 3. ^WTHENT1CATI01^ 



AID 



2307-= 7 



SD 



13 



•2309; 



CODE MESSAGE 



2301 



V 



CODE 



^2305 



ma 23 



255 



2601 



3 
2 
1 
0 



■ j. . - _ K 

i i.i :, — ^ 
..' ' ' 1— 


| " - A 

-W-- L: r 


'! !-- ! 2603^ 

• ' :: ' . r ~\. ' 

ill • •_-; . 

Ill "jU 

ill-. .->.'=2 ■- 

I I I '- -«-;.V;r-r' 
- -4-1- 4- 1-^- 

I'vl 1 _ _'j^z 

• ■ ■ ■ i 


Si ! 


^ i ! 

i ! 

r .1 _:J 


L-i-l-i- 
— r- L 



0 1 2 3 

A ■ . . 



FIG. 2 6 



255 



2-703- 

i T 1 • r~^T 



92- 
91- 



90 *| | 1 U]V 1 



89~ H -t -pftc^- 

88-tlf^fi^ 
_ lild 



87 
86 



84^ 



0 



I I 



^ . r Tin 

I I I 1 I I 1 




: «=90-ti3fc ; 



IE 



44 - j 



at" 

|=rS ; 2701 
90-51 



I I 

T T 



50 51 52 53 54 55 56 57 58 59 60 61 62 



BNSOOCID <WO &907150A1 I > 




BNSDOCID <WO 99071SOA1 I > 



WO 99/07150 



PCT/US98/16145 




BNSOOClD <WO 9907150A1 I > 



WO 99/07JS0 



PCT/US98/16145 



[... 



21/21 



.:. — DHCT- 

ROOT SIGNATURE 



DHCT 

CHAIN a ~~>- 



GEOPOLITICAL 

CA SIGNATURE 
_ — _ j,,,^ 



,2807 



2801 



FGPA 

-SIGNATURE — 



2805 



"2806 



DHCT SET TOP 
SIGNATURE 



_ROOICAA_ 
SIGNATURE- 



OPERATOR 
CHAIN 



■ - t 



-OPERATOR- 1 1 
rGAA-SIGNATURE 



OPERATOR IN 

-:;;;:;CAA: f ;:™:: 



OPERATOR |1 
EA#1 
SIGNATURE 



J: 



OPERATOR #1 
EAN fN- 

SIGNATURE* 



01 



OPERATOR #N 
-EA |1 
SIGNATURE 



u FI&28 



v i 



■<!. 



cf-C 



EMM GENERATOR 



ROOT CM PRIVATE KEY 



OPERATOR CAA 
PUBLIC KEYS 



CERTIFICATES 
(PUBLIC j(EYS| 



2902 



2994 



2901 

-2905.. 



V ? » 

W-,1 



17! ! 



■:■ \-> .-. V- !ri/7^3 1 




FIG. 29- 



BNSDOCID <WO 99071S0A1 I > 



^ INTERNATIONAL SEARCH REPORT 


national Application No 

PCT/US 98/16145 




jh APAmmTIAll o p Mm IC^T A I'll l> 

A. CLASSIFICATION OF SUBJECT MATTER . 

IPC 6 H04N7/16 H04N7/167 

According to International Patent Classification (IPC) or to both national classification and IPC 




B. FIELDS SEARCHED f 




Minimum do cumentation searched (classification system foBowed by classification isyjnpQls) L' J >'j - 

IPC 6 H04N - ; 2;\.\i\,u,2 AC ; 

I ' '- ' 




Documentation searched other than minimum documentation to the extent that such documents are included in the fields searched 

y . _ ; _ ~ 

».t. - •>r^; ' t K.I 




Electronic data base consulted during the international search (name of data base and, where practical, search teirns^jsst^^ 1 ' 

I • j . F5iT": — t "a ;: : \ ' 




C. DOCUMENTS CONSIDERED TO BE RELEVANT A \^ . A^: ! 




Categcwy K 


Citation of document, with indication, where appropriate, df ine relevant Dassaaes • | 


t ^ m * Relevant to claim No. 




Y 


- A EP ,0 752 786 A (THOMSON CONSUMER ~r"7~ r - -™ 
1 { BtiEetRONIGS) 8\JanuaVy 1997 ; : ? : - \ \ Vj< ' 

^rsee page 2, ifneA - line 30 ?r\«\AZl\ ! I——. 

•siee^prage 4-; Tine t - page 9, line -59 — 

see. page 11, line 3 - page 12, line 10 
see T igtires 1-12 

COUTROT F ET AL: M A SINGLE CONDITIONAL 
ACCESS SYSTEM FOR SATELLITE-CABLE AND 
TERRESTRIAL TV" 

IEEE TRANSACTIONS ON CONSUMER ELECTRONICS, 
vol. 35,^ no ' 3, 1 August 1989, pages 
464-468, XP000065971; •/ - v . 

New Yor^,^Nr\ US,-- - - , 

see the wlio^e document -/^ i ; jr.jf , j 

j — - j**"- 

» 1 T ~ ~ : 

i ■ ■ : * 1 

) „:'_." : i i 


-•- • j=3 2 ' 
DiC 33-52 

33-52 


j )( | Further documents are listed in the, continuation. of box.C^ ' jj( .f^aterjt family members are listed In annex. 


* Special categories of cited documents : 

' T* later document published after the international filing date 
•a- ziof ^irw, h\a •t*** «t art « ™» or priority date and not in conflict with the application but 
1oS^d7M~S £E£5* ^ c^to understand the principle or theory underlying the 

" E " 0 f, r ^ r ( ? l cumGnt but puW8had on or intQmationaJ -X- document of particular relevance: the claimed invention 

rmng gate canned be considered novel or cannot be considered to 
V document which may throw doubts on priority daim(s) or involve an inventive step when the document is taken alone 

^^^t^S^^S^^^ 01 an0th8r ^r4fi^~#piiG^iSma&; the claimed invention 

citation or other special reason (as spec l fiedj;, caVinot be considered to involve an inventive step when the 
"O* document referring to an oral disclosure, use, exhibition or document is combined with one. or more other such docu- 

othermeaps '* , , .* merits. suchTc^mbir^tlonb^ 
-P- document published prior to the international fling date but ""^ - v ' ~ i ' . ' * 

later than the priority- date'etaimed documenLmejnbet of Jhe same patent family 


Date of the actual completion of the International search 

11 November 1998 


Date of mailing of the international search report 1 

19/11/1998 


Name and mailing address of the ISA 
i European Patent Office. P.B. 5618 Patentlaan 2 
NL - 2260 HV Rljswtjk 
Tel. (^31-70) 340-2040. Tx. 31 651 epo nl. 
Fax: (♦31-70)340-3016 


Authorized officer 

Van der Zaal , R 



Foon PCT/ISA/210 (second tfweQ (July 1902) 



page 1 of 2 



INTERNATIONAL search report 

•■ . . . ~r ' • . 


national Application No 

PCT/US. 98/16 145 


C. (Continuation) DOCUMENTS CONSIDEREDTO BE RELEVANT 


Category *» 


Citation of document, with indteation.where japprogriate, of .the relevant passages . 

li ; 


Relevant to claim No. 


X 

\" J : 

'.'00 

■-*■?■:.: 

Fonfn PCT/ISAfl 


WG 95 29560 A (THOMSON CONSUMER 
^ELECTRONICS) 2 November 1995 

■ J'! ! : ■£ 'j 

-*; ? see page l,Jllni|Hf- 11 fie 34 - ' • " ' 
'::§ee page 2,*1 Ifte X3-f- line 25 
"r /sefe page 5, ;l 1ne„6' -e page; 14, line 8 
■>■ see f 1 gures* 1-5 ' v 0 ■ * 1 : 

- 'j c\. l' f ) ".; b\: S C. "* " 
"-«." ; . " >,^ :: ' V K . 

^ I c L ■ ^ . ? 4 i * 

c 

MO {continuation of second ahe«t) (July 1092) 


1-4, 
9-14, 
22-24, 
29,31,32 ; 

{ 

f 
1 

i 

1 

t • 
i 



page 2 of 2 

BNSDOCID <WO 9907150A1 1 > 



INTERNATIONAL SEARCH REPORT r 



Information on patent family member* 



rnttional Application No 

PCT/US 98/16145 



••" ' Patent document 
. .cited in.search report. 



Publication 
date 



"< ..>;E?atent family h 
membar(8) 



Publication 
- date 



EP 0752786 



WO 9529560 



A _ .„ .08-01-1997 



02-11-1995 



..US 5625693 A 

....BR- 1;G ?6P2980 A 

?M 146122 A 

*" JP 9121340 A 

. US,- .5619501 A 
CA, .2^88127 r A 
,^C^ r 115,1233 A 



29-04-1997 
06-01-1998 
26-03-1997 
06-05-1997 



CN 
EP. 
EP 
JP 
US 



1167405. A 
.0756801' A 
0858222 A 
9512675 T 
5802063 A 



08-04-^1997 
02-11-1995 

04- 06-1997 
10-12-1997 

05- 02-1997 
12-08-1998 
16-12-1997 
01-09-1998 



.. ... . . Fwn RCT/ISA/210 (patent fwnly max) (July 1992) - 



1 




This Page is Inserted by IFW Indexing and Scanning 
Operations and is not part of the Official Record 

BEST AVAILABLE IMAGES 

Defective images within this document are accurate representations of the original 
documents submitted by the applicant. 

Defects in the images include but are not limited to the items checked: 

□ BLACK BORDERS 

□ IMAGE CUT OFF AT TOP, BOTTOM OR SIDES 

□ FADED TEXT OR DRAWING 

^BLURRED OR ILLEGIBLE TEXT OR DRAWING 

□ SKEWED/SLANTED IMAGES 

□ COLOR OR BLACK AND WHITE PHOTOGRAPHS 

□ GRAY SCALE DOCUMENTS 

l£6jNES OR MARKS ON ORIGINAL DOCUMENT 

□ REFERENCE(S) OR EXHIBIT(S) SUBMITTED ARE POOR QUALITY 

□ OTHER: 

IMAGES ARE BEST AVAILABLE COPY. 
As rescanning these documents will not correct the image 
problems checked, please do not report these problems to 
the IFW Image Problem Mailbox. 



PAGE BLAHK 



(USPTO) 



